Vulnerability Assessment of Vehicle Access System using Software-Defined Radio (SDR): Attacks, Testing, Comparative Analysis and Future Countermeasures | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Research Article Vulnerability Assessment of Vehicle Access System using Software-Defined Radio (SDR): Attacks, Testing, Comparative Analysis and Future Countermeasures Iram Shaikh, Vedant Sakinal, Vedashree Bhongale, Sheetal Borde, and 2 more This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-7415591/v1 This work is licensed under a CC BY 4.0 License Status: Published Journal Publication published 02 Mar, 2026 Read the published version in Journal of Transportation Security → Version 1 posted 6 You are reading this latest preprint version Abstract Remote Keyless Entry systems have become an integral component of contemporary vehicles, enhancing user convenience while simultaneously posing potential security challenges. However, with this convenience comes a growing concern over potential security vulnerabilities, particularly those involving radio frequency (RF) attacks such as replay attacks, relay attacks, and signal jamming. This research paper investigates the vulnerabilities of RKE systems across multiple car models, evaluating their susceptibility to RF-based exploits. Our testing results reveal significant disparities in the security robustness of different car models, highlighting the need for improved encryption protocols and signal authentication mechanisms. This study provides a comparative analysis of RKE vulnerabilities, offering insights into the current state of automotive security and proposing recommendations for mitigating risks associated with RF attacks. By offering a comparative analysis of performance and security parameters, this research aims to inform automotive manufacturers, cybersecurity experts, and consumers about the inherent risks associated with current RKE implementations and to advocate for the development and adoption of more secure vehicular access technologies. Vehicle vulnerabilities Software- Defined Radio RFID Replay attack Figures Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 Figure 7 Figure 8 Figure 9 1 Introduction In the modern automotive world, vehicle access systems have transitioned from traditional mechanical keys to advanced wireless technologies such as Remote Keyless Entry (RKE) and Passive Keyless Entry (PKE). However, this shift has introduced new security challenges. The reliance on radio frequency (RF) communication systems exposes vehicles to vulnerabilities like signal interception, replay attacks, and jamming, which can compromise the security and safety of both vehicles and their owners. The fundamental principle behind most modern vehicle access systems is RF communication, where a key fob transmits a signal to a receiver in the vehicle to execute commands such as unlocking doors or starting the engine [ 2 ]. Another notable implementation of a keyless entry system utilizes a compact radio card transponder that communicates with the vehicle via inductive coupling through loop antennas, enabling hands-free access [ 1 ]. Despite these advancements, existing systems often lack comprehensive testing environments to validate resilience against RF-based attacks. While [ 15 ] introduced control-based immobilization, and [ 16 ] added facial biometrics to improve authentication, neither addressed underlying vulnerabilities in the system. Thus, this convenience is countered by the risk of unauthorized access through methods that exploit weaknesses in RF signal transmission. [ 12 ]. Software-Defined Radio (SDR) technology presents a unique and powerful solution to address these challenges. It is a radio communication system that performs modulation, demodulation, and filtering using software instead of dedicated hardware, and is thus used in the proposed system for analyzing and emulating vehicle access signals [ 9 , 10 ]. SDR allows for the flexible implementation and analysis of various communication protocols and RF signal processing through software rather than hardware. This capability is particularly advantageous in the context of vehicle access systems, as it facilitates comprehensive testing and evaluation of RF communi- cation security. SDR can emulate different types of RF signals and protocols, enabling researchers and developers to identify potential vulnerabilities and devise effective countermeasures. The primary goal of this project is to leverage SDR to create a vehicle access sys- tem that not only identifies existing vulnerabilities in RF-based unlocking mechanisms but also proposes robust solutions to enhance security. By studying the specific pro- tocols and technologies utilized in modern keyless entry systems, the project aims to understand the potential attack vectors and develop secure unlocking mechanisms that incorporate advanced signal processing techniques, encryption, and authentication methods [ 3 ]. This dual approach—examining both the vulnerabilities and the solutions—will provide valuable insights into securing vehicular access against emerging threats. This paper will detail the design and development process of the SDR-based vehicle access system, encompassing a thorough analysis of RF communication protocols, the security threats posed by malicious actors, and the implementation of preventive measures aimed at ensuring secure vehicle access. By concluding this project, we aspire to establish the SDR platform as both a tool for testing vulnerabilities and a frame- work for creating more resilient vehicle access systems, ultimately contributing to the advancement of automotive security technologies in the face of evolving threats. 2 Vulnerabilities in remote keyless entry system Remote Keyless Entry (RKE) systems provide significant ease of use and convenience, but they also introduce a range of security concerns. These systems function through wireless communication, which inherently carries risks that can be exploited by malicious actors. The core security vulnerabilities of RKE systems stem from the ease with which wireless signals can be captured, altered, or resent. This section explores the primary threats identified in existing literature on RKE technologies, such as relay attacks, replay attacks, and weaknesses specific to RFID-based mechanisms 2.1 Relay Attacks Among the most widespread and well-studied threats to RKE systems are relay attacks. In these attacks, adversaries extend the communication range between the key fob and the vehicle by using relay devices. As shown in Fig. 1 , one device is placed close to the key fob, while another is near the car. The legitimate signal is then transmitted between the two, effectively tricking the car into believing the key fob is nearby and enabling access or ignition. Relay attacks are particularly dangerous because they do not require direct access to the key fob. Attackers can execute such operations from a distance—outside a home or in a parking area—making detection difficult. Research indicates that these relay devices can be easily built or acquired, and they amplify key fob signals to unlock or start the vehicle from a considerable distance. This makes RKE systems, especially in high-end vehicles, attractive targets for exploitation. 2.2 Replay Attacks Replay attacks are another major concern in RKE security. Here as shown in Fig. 2 , an attacker intercepts and records the signal transmitted between the key fob and the vehicle. This recorded signal can later be played back to gain unauthorized access or start the vehicle—without needing to understand or decode the signal itself [ 6 , 7 ]. Studies highlight that basic RKE implementations, especially those using static codes or minimal encryption, are highly vulnerable to such attacks. Unless systems utilize features like rolling codes or advanced encryption [ 3 ], captured signals can be reused multiple times. Even rolling code systems, if not properly secured, can be susceptible to replay within a short time window. Therefore, implementing time-based authentication [ 14 ] and secure encryption schemes is vital to safeguarding against these threats. 2.3 RFID Vulnerabilities Radio Frequency Identification (RFID), which plays a key role in modern RKE systems, supports features like passive keyless entry and battery-free operation. However, it also introduces several security risks. One of the main concerns is the interception and misuse of RFID signals. Several countermeasures have been proposed to combat threats like replay and rolljam attacks, including improved authentication protocols [ 4 , 11 ]. A significant risk in RFID-enabled systems is the RollBack attack as shown in Fig. 3 , where a malicious party records an RFID transmission and later replays it to unlock the vehicle. Despite the use of rolling codes and encryption in newer designs, systems remain vulnerable if attackers collect enough data to deduce the rolling pattern. Another attack type, RollJam, involves jamming the signal between the key fob and the vehicle receiver at the exact time of transmission. This causes desynchronization between the two, allowing the attacker to capture a valid code that can later be used to access the vehicle. Such attacks exploit flaws in the synchronization processes of some RFID systems.[ 8 , 13 ] Furthermore, since many RFID systems transmit data using non-encrypted or weakly encrypted signals, they can be compromised using devices like the SDR systems. Even though manufacturers have made strides toward more secure RFID systems, challenges persist in embedding robust encryption and tamper-resistant measures to fully safeguard against these exploits 3 Approach and Implementation Original Equipment Manufacturers (OEMs) implement a comprehensive suite of pre-launch testing procedures to validate the safety, reliability, and overall performance of vehicles prior to market deployment. These tests encompass several key domains such as Mechanical and Durability Testing to evaluate occupant safety and structural integrity. Environmental Testing to verify performance under extreme environmental conditions through temperature, humidity, high-altitude to ensure vehicle functionality across diverse geographic and climatic conditions. Electrical and Electronic Testing to mitigate electromagnetic risks, Electromagnetic Interference and Compatibility (EMI/EMC). In addition to mechanical, electrical, and environmental testing, car manufacturers should also include RF security assessments during vehicle validation. This ensures that wireless interfaces such as Remote Keyless Entry, TPMS, and V2X modules are resilient to common RF-based attacks. Integrating SDR-based testing tools and machine learning-driven intrusion detection systems into the validation workflow can significantly enhance vehicle cybersecurity readiness. Future testing should incorporate real-world scenario generation to better understand the threats as similar to [ 5 ]. This project investigates a vehicle access system utilizing Software-Defined Radio (SDR) to capture, analyze, and replicate key fob signals, demonstrating potential vulnerabilities in modern keyless entry systems. The system as shown in Fig. 4 consists of several key hardware components, including a key fob that transmits an encrypted RF signal, a car receiver that authenticates and processes the signal to unlock the vehicle, an SDR DONGLE dongle that intercepts and captures the transmission, and a Raspberry Pi, which serves as the central processing unit. The Raspberry Pi decodes and processes the intercepted signal, validating it based on predefined criteria before retransmitting it via Raspberry Pi software, effectively mimicking the key fob to unlock the vehicle without physical access. The software design involves initializing the Raspberry Pi and Raspberry Pi software, setting up transmission parameters such as frequency (commonly 315 MHz or 433 MHz) and modulation type, and generating or loading the key fob signal for transmission. The system continuously monitors and adjusts transmission parameters to ensure accuracy and reliability. The experimentation phase involved setting up the required hardware and software, including installing Cubic SDR for signal capture, configuring the SDR DONGLE dongle to detect key fob transmissions. The captured signals were then processed on the Raspberry Pi, where Raspberry Pi software was used to replay the recorded transmissions at the appropriate frequency. Multiple tests were conducted to verify the consistency and effectiveness of signal replication, evaluating how vulnerable the car is. 3.1 Capturing and Analysing key fob frequency The initial phase of this study focused on the acquisition and analysis of the radio frequency (RF) signal emitted by a key fob. To capture the signal, we utilized a software-defined radio (SDR) setup, comprising an SDR DONGLE dongle and the CubicSDR software interface. We configured the system to monitor the 433.920 MHz frequency band, which falls within the unlicensed (ISM) band commonly used by keyless entry systems. Upon pressing the key fob button, a burst transmission was observed in the spectrum analyzer and waterfall display. A distinct peak at approximately 433.920 MHz was noted in the fast Fourier transform (FFT) view, that indicated active RF transmission. Concurrently, the waterfall plot displayed a strong vertical trace, confirming consistent signal activity during the transmission. This stage of the analysis provided critical insights into the frequency domain characteristics of the signal, validating the existence of the key fob transmission. The Fig. 5 and Fig. 6 displays Control Bar, Frequency display, Spectrum Analyzer and Waterfall display. Further illustrating parameters like; The centre frequency (433.920 MHz). This is the primary frequency the SDR is tuned to. The real time FFT display including X-axis (horizontal): Frequency range around the tuned center frequency, Y-axis (vertical): Signal strength (amplitude), shown in dB. The peak at center indicates an active and strong signal being received. The bottom display shows signal activity over time. The colours Red/Yellow indicates strong signal whereas Green/Blue indicates Weak or no signal. The bright vertical line in the middle aligns with the frequency peak above, confirming persistent transmission. 3.2 Unlocking vehicle via Raspberry Pi software for Transmission After the successful capturing and analyzing of the key fob signal, the next phase involved the retransmission of the recorded RF signal to validate its functional integrity and assess the potential security implications. For this purpose, we utilized the Raspberry Pi software suite which is an open-source RF transmitter tool designed specifically for use with the Raspberry Pi’s GPIO as a low-power RF signal generator. The tool enables direct transmission of arbitrary RF waveforms without requiring external RF hardware, operating within frequencies ranging from 1 kHz to 500 MHz and beyond. The Fig. 7 shows the user interface of Raspberry Pi software, a software tool used on Raspberry Pi for RF experimentation. It provides multiple functionalities for working with radio signals, particularly around the 434.0 MHz ISM band. The options include: Record: Captures the RF spectrum at 434.0 MHz, Play: Replays a previously recorded spectrum, Transponder: Re-transmits a received signal on the same frequency, FM->SSB: Transcodes an FM signal to Single Sideband (SSB), Set Frequency: Allows modification of the operating frequency. At the final step as shown in Fig. 8 , the raspberry pi’s GPIO pin was connected to a wire antenna to facilitate transmission and upon transmitting the signal towards the car, the target vehicle successfully recognized and responded to the replayed signal, demonstrating the feasibility of signal replay attacks using minimal hardware. This step confirms the potential for replay-based access attacks, and further reinforces the importance of integrating strong security system in RF-based authentication systems. 4 Test Results and Comparative Analysis We conducted a series of unlocking attempts on four different vehicles equipped with keyless entry systems. The objective was to observe and record the time taken for the system to respond and the maximum distance from which the vehicle could be successfully unlocked. Each vehicle was tested under similar environmental conditions to ensure consistency. To ensure accurate signal detection during these attempts, normal environment detection was employed; however, in future implementations, incorporating advanced sensing techniques such as the [ 17 ] could improve reliability in low SNR environments and under varying noise conditions. Data such as the number of attempts required, the response time in seconds, and the corresponding distance in feet were meticulously documented. These observations aim to evaluate the efficiency, reliability, and sensitivity of the keyless entry mechanisms and highlight variations in system performance across different car models. The results were then visualized using tabular and graphical formats Table 1 and Fig. 9 to facilitate comparative analysis and extract meaningful insights for future improvements. Table 1 Comparison of Keyless Entry Activation Parameters Car No. and type Attempt(s) Time(sec) Distance(feet) Car1: LMV 1 1 2 7 Car2: LMV 2 1 1 35 Car3: SEDAN 2 5 20 Car4: SUV 1 2 10 4.1 Observations & Insights Remote Signal Sensitivity and Range: The results indicate a substantial variation in the sensitivity and operational range of keyless entry systems among the tested vehicles. Car 2 exhibited the highest responsiveness, with activation occurring at a distance of 35 feet and a response time of 1 second. This implies a high degree of convenience but may raise concerns regarding potential susceptibility to relay attacks. Consistency and System Reliability: Car 3 required a second attempt to successfully register the unlocking signal, with a high response time of 5 seconds. This inconsistency suggests a lack of robustness in the signal processing or potential environmental interference, which can negatively impact user experience and system reliability. Security-Convenience Trade-Off: The shorter range and moderate response times of Car 1 and Car 4 suggest a design emphasis on enhanced security. By limiting the activation range, these vehicles may offer improved protection against unauthorized remote access. However, this comes at the cost of reduced user convenience. Design Implications for Keyless Entry Systems: The findings underscore the need for manufacturers to balance performance metrics—such as response time and activation distance—with security requirements. High sensitivity systems must integrate additional layers of verification, such as proximity authentication or dynamic encryption, to mitigate risks. 5 Future Suggestions Ultra-Wideband (UWB) Technology for Keyless Entry UWB operates over a wide frequency spectrum (3.1–10.6 GHz) and uses time-of-flight (ToF) measurements to determine the precise distance between the key and vehicle. Relay attacks fail because the system checks distance and direction, not just signal presence. AI/ML-based RF Intrusion Detection Systems (IDS) Working: Collects RF data (I/Q samples, frequency, signal strength) and trains ML models (SVMs, CNNs, RNNs) to detect anomalies or known attack signatures. Can detect subtle jamming, spoofing, or unexpected signal sources before they cause harm. Encrypted & Authenticated RF Communication Working: Adds symmetric or asymmetric cryptography (AES-128, ECC) to wireless messages (e.g., from TPMS sensors, key fobs, V2X units). Why it helps: Prevents replay/spoof attacks by requiring fresh encrypted messages with nonce or token-based challenge-response. Physical Layer Authentication (RF Fingerprinting) Working: Extracts device-specific features (amplitude imbalance, IQ offset, phase noise) to create a unique fingerprint. Why it helps: Even if an intruder copies the signal, they can’t replicate these tiny hardware imperfections. 6 Conclusion Remote Keyless Entry (RKE) systems have transformed vehicle access and security by providing increased convenience, usability, and an enhanced user experience. However, these technological advancements have also introduced critical security vulnerabilities that may be exploited by malicious actors. Consequently, there is a pressing need to develop and implement robust security measures to safeguard vehicles against unauthorized access and theft. This experimental setup serves as a foundational platform for conducting RF-based vulnerability assessments such as replay attacks as stated in this paper. By leveraging this framework, manufacturers can systematically evaluate the susceptibility of their vehicles to various wireless threats. Such analyses not only aid in identifying and mitigating vulnerabilities but also help manufacturers establish themselves as robust and secure brands through quantifiable performance metrics and security validations. Declarations Funding This research received no external funding. Author Contribution I.S and S.B analyzed the results and drafted and structured the manuscript, and handled literature review and editing.V.S and R.S designed the system architecture, contributed to hardware prototyping, and guided the experimental design.V.B and V.H conducted data collection, Carried out troubleshooting and prepared figures for the manuscript. Disclaimer : This research is conducted purely for academic and educational purposes to study wireless security vulnerabilities. All tests were performed in a controlled environment, with no intent to harm or exploit real-world systems. The techniques discussed are not intended for malicious use. References M. Hirano and M. Takeuchi, "Keyless Entry System with Radio Card Transponder," IEEE Transactions On Industrial Electronics, Vol. 35, No. 2, May 1988. A. Divya and S. Ponmaniraj, "Smart Locking and Unlocking System for Vehicle Theft Control," IJCRT, Vol. 9, Issue 8, August 2021. Marin Aranitasi, "Increasing the vehicle security by improving the Remote Key System," International Journal of Engineering Research and Applications, Vol. 12, Issue 4, (Series-III) April 2022. R. P. Parameswarath and B. Sikdar, "An Authentication Mechanism for Remote Keyless Entry Systems in Cars to Prevent Replay and RollJam Attacks," 2022 IEEE Intelligent Vehicles Symposium (IV), Aachen, Germany, 2022, pp. 1725-1730, doi: 10.1109/IV51971.2022.9827256. Song, A. Bensoussan, and M. R. Mousavi, “Synthetic versus real: an analysis of critical scenarios for autonomous vehicle testing,” Automated Software Engineering , vol. 32, 2025 CNSSI 4009 Committee on National Security Systems (CNSS) Glossary, 2015, p. 103 [Online]. M. Dibaei, et al., Attacks and defences on intelligent connected vehicles: a survey, Digit. Commun. Networks 6 (4) (Nov. 2020) 399–421, https://doi.org/10.1016/j. dcan.2020.04.007. Chongqing University of Posts and Telecommunications. Magda, Devon & Payne, Bryson. (2023). “RFID Key Fobs in Vehicles: Unmasking Vulnerabilities and Strengthening Security.” 10.32727/28.2024.3. Vijay K. Garg, Chapter 23 - fourth generation systems and new wireless technologies, in: Vijay K. Garg (Ed.), The Morgan Kaufmann Series in Networking, Wireless Communications & Networking, Morgan Kaufmann, 2007, https://doi. org/10.1016/B978-012373580-5/50057-0, 23-1-23-22, ISSN 18759351, ISBN 9780123735805. I.T. Union, Definitions of software defined radio (SDR) and cognitive radio system (CRS) SM series, SM Ser. Spectr. Manag. 2152 (2009) 328–337 [Online]. Available: https://www.itu.int/dms_pub/itu-r/opb/rep/R-REP-SM.2152-2009-PDF-E.pdf. Z. Depp, H. B. Tulay, and C. E. Koksal, "Enhanced Vehicular Roll-Jam Attack using a Known Noise Source," Symposium on Vehicles Security and Privacy (VehicleSec), San Diego, CA, USA, Feb. 2023. [Online]. Available: https://dx.doi.org/10.14722/vehiclesec.2023.23037. M.-k. Choi, R. J. Robles, C.-h. Hong, and T.-h. Kim, “Wireless Network Security: Vulnerabilities, Threats and Countermeasures,” International Journal of Multimedia and Ubiquitous Engineering , vol. 3, no. 3, pp. 77–86, Jul. 2008. F. Thornton and C. Lanthem, RFID Security . Rockland, MA, USA: Syngress, 2006 K. Greene and D. Rodgers, "Timestamp-based Defense Mechanism Against Replay Attack," IEEE International Conference on Consumer Electronics (ICCE), 2020. B. Davis and R. DeLong, "Combined remote key control and immobilization system for vehicle security," Power Electronics in Transportation, Dearborn, MI, USA, 1996, pp. 125-132. S. Padmapriya and E. A. KalaJames, "Real time smart car lock security system using face detection and recognition," 2012 International Conference on Computer Communication and Informatics, Coimbatore, India, 2012, pp. 1-6, doi: 10.1109/ICCCI.2012.6158802. S. D. Borde and K. R. Joshi, “Enhanced Wideband Spectrum Sensing Algorithm for Analysis of GSM Band,” Wireless Personal Communications , vol. 121, pp. 2145–2158, Dec. 2021, doi: 10.1007/s11277-021-08814-4. Additional Declarations No competing interests reported. Cite Share Download PDF Status: Published Journal Publication published 02 Mar, 2026 Read the published version in Journal of Transportation Security → Version 1 posted Editorial decision: Accepted 13 Feb, 2026 Reviewers agreed at journal 13 Sep, 2025 Reviewers invited by journal 10 Sep, 2025 Editor assigned by journal 22 Aug, 2025 Submission checks completed at journal 22 Aug, 2025 First submitted to journal 20 Aug, 2025 You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-7415591","acceptedTermsAndConditions":true,"allowDirectSubmit":false,"archivedVersions":[],"articleType":"Research Article","associatedPublications":[],"authors":[{"id":514511291,"identity":"5a74eb7e-2e7b-4b6f-ba2b-004fdd812449","order_by":0,"name":"Iram Shaikh","email":"","orcid":"","institution":"PES Modern College of Engineering","correspondingAuthor":false,"prefix":"","firstName":"Iram","middleName":"","lastName":"Shaikh","suffix":""},{"id":514511292,"identity":"09dacfb8-9172-42dd-9ba0-7767c63b4842","order_by":1,"name":"Vedant Sakinal","email":"","orcid":"","institution":"PES Modern College of Engineering","correspondingAuthor":false,"prefix":"","firstName":"Vedant","middleName":"","lastName":"Sakinal","suffix":""},{"id":514511293,"identity":"42e131b3-5bbf-4cda-b1c4-f6b5d62eb0f8","order_by":2,"name":"Vedashree Bhongale","email":"","orcid":"","institution":"PES Modern College of Engineering","correspondingAuthor":false,"prefix":"","firstName":"Vedashree","middleName":"","lastName":"Bhongale","suffix":""},{"id":514511294,"identity":"0064ed5a-b64e-4045-ae53-8d268bfc28af","order_by":3,"name":"Sheetal Borde","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAABGklEQVRIiWNgGAWjYDACCTBpwWAAZlcAyQNwuQQwwqrlAJCEaDlDshbGNnQtWID87OaDjz/USDCYs/c+vPFx3jY5vuO9zx78qLBh4GfPMWB4uANDi8GdY8kGB45JMFj2HDe2nLnttrHkmePmhj1n0hgke94YMCSewdQikWMmcYAN6LAbaWzSvNtuJ24AMRjbDgNFgLYktmE6bEb+9x8H/kG1/J0D1HL/GUjLfwZ7HFoYbuSwMRxsg2phbADZwgbScgDkAKxagCqNJc72SfBY9hxjBmKQX9LYJHvOJPNInHlWcACrw5Iffqj4ZiNnzt7GeONHzW1giB1jk/hRYSfH35688eFPLA6DAh7sIgdwahgFo2AUjIJRgA8AAM2PbhlA8BmvAAAAAElFTkSuQmCC","orcid":"","institution":"PES Modern College of Engineering","correspondingAuthor":true,"prefix":"","firstName":"Sheetal","middleName":"","lastName":"Borde","suffix":""},{"id":514511297,"identity":"d6169ea9-7ccf-4b79-b3f0-b00021e3091d","order_by":4,"name":"Rupali Kamathe","email":"","orcid":"","institution":"PES Modern College of Engineering","correspondingAuthor":false,"prefix":"","firstName":"Rupali","middleName":"","lastName":"Kamathe","suffix":""},{"id":514511298,"identity":"248e5371-a86c-4f6c-bbc9-ccc755a32e65","order_by":5,"name":"Vandana Hanchate","email":"","orcid":"","institution":"PES Modern College of Engineering","correspondingAuthor":false,"prefix":"","firstName":"Vandana","middleName":"","lastName":"Hanchate","suffix":""}],"badges":[],"createdAt":"2025-08-20 09:08:26","currentVersionCode":1,"declarations":"","doi":"10.21203/rs.3.rs-7415591/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-7415591/v1","draftVersion":[],"editorialEvents":[{"content":"https://doi.org/10.1007/s12198-026-00336-z","type":"published","date":"2026-03-02T15:57:30+00:00"}],"editorialNote":"","failedWorkflow":false,"files":[{"id":91604885,"identity":"f491e84c-6a7b-422d-8974-bd2990b074c3","added_by":"auto","created_at":"2025-09-18 09:10:46","extension":"png","order_by":1,"title":"Figure 1","display":"","copyAsset":false,"role":"figure","size":26244,"visible":true,"origin":"","legend":"\u003cp\u003eIllustration of a relay attack on a vehicle initiated when the user activates the key fob\u003cstrong\u003e.\u003c/strong\u003e.\u003c/p\u003e","description":"","filename":"1.png","url":"https://assets-eu.researchsquare.com/files/rs-7415591/v1/5dee54648ce56899d8ac75cb.png"},{"id":91605565,"identity":"411f3bff-f87c-4c2b-9dcb-e328e542e832","added_by":"auto","created_at":"2025-09-18 09:18:47","extension":"png","order_by":2,"title":"Figure 2","display":"","copyAsset":false,"role":"figure","size":15477,"visible":true,"origin":"","legend":"\u003cp\u003eDemonstration of a vehicle exposed to a replay attack triggered when the key fob is pressed.\u003c/p\u003e","description":"","filename":"2.png","url":"https://assets-eu.researchsquare.com/files/rs-7415591/v1/498cb228fecad5887e404290.png"},{"id":91604888,"identity":"a7dc5e6c-4cc1-4363-80ba-c5f2f8b95835","added_by":"auto","created_at":"2025-09-18 09:10:47","extension":"png","order_by":3,"title":"Figure 3","display":"","copyAsset":false,"role":"figure","size":42910,"visible":true,"origin":"","legend":"\u003cp\u003eSecurity Threats and Exploitation Techniques in RFID-Based Automotive Access Systems\u003c/p\u003e","description":"","filename":"3.png","url":"https://assets-eu.researchsquare.com/files/rs-7415591/v1/94751c10ec85080b1b699644.png"},{"id":91604886,"identity":"d346866a-3be9-478e-ad7e-4bdb31e3f930","added_by":"auto","created_at":"2025-09-18 09:10:47","extension":"png","order_by":4,"title":"Figure 4","display":"","copyAsset":false,"role":"figure","size":62426,"visible":true,"origin":"","legend":"\u003cp\u003eBlock Diagram summarizing the proposed SDR based system using Raspberry Pi\u003c/p\u003e","description":"","filename":"4.png","url":"https://assets-eu.researchsquare.com/files/rs-7415591/v1/e257ad3768fd7ebf9e5fa753.png"},{"id":91607294,"identity":"1192a0d9-56e9-4489-b0d2-4c9d3f4808f9","added_by":"auto","created_at":"2025-09-18 09:26:47","extension":"png","order_by":5,"title":"Figure 5","display":"","copyAsset":false,"role":"figure","size":199367,"visible":true,"origin":"","legend":"\u003cp\u003eWaterfall display of recording the signal in SDR software as key fob of Car1 is pressed.\u003c/p\u003e","description":"","filename":"5.png","url":"https://assets-eu.researchsquare.com/files/rs-7415591/v1/9a13d6702792b25a1c8f3bf4.png"},{"id":91604893,"identity":"ae88ef31-0577-4b44-8ed6-ec33433da7f4","added_by":"auto","created_at":"2025-09-18 09:10:47","extension":"png","order_by":6,"title":"Figure 6","display":"","copyAsset":false,"role":"figure","size":194205,"visible":true,"origin":"","legend":"\u003cp\u003eWaterfall display of recording the signal in SDR software as the key fob of Car 2 is pressed.\u003c/p\u003e","description":"","filename":"6.png","url":"https://assets-eu.researchsquare.com/files/rs-7415591/v1/d8ffa46aae5715dbbe0bea61.png"},{"id":91604892,"identity":"084511cb-ad10-409f-8888-72a552025aa1","added_by":"auto","created_at":"2025-09-18 09:10:47","extension":"png","order_by":7,"title":"Figure 7","display":"","copyAsset":false,"role":"figure","size":58051,"visible":true,"origin":"","legend":"\u003cp\u003eThe user interface of Raspberry Pi software when transmitting the signal captured by SDR dongle.\u003c/p\u003e","description":"","filename":"7.png","url":"https://assets-eu.researchsquare.com/files/rs-7415591/v1/bac5787ed1c1f2c853c3dce3.png"},{"id":91604898,"identity":"90db1642-9d32-4f8c-ae96-76e1a9e6f3aa","added_by":"auto","created_at":"2025-09-18 09:10:47","extension":"png","order_by":8,"title":"Figure 8","display":"","copyAsset":false,"role":"figure","size":247392,"visible":true,"origin":"","legend":"\u003cp\u003eFinal setup of the system consisting of Raspberry Pi, SDR dongle, an antenna, and jumper wires for transmitting the signal.\u003c/p\u003e","description":"","filename":"8.png","url":"https://assets-eu.researchsquare.com/files/rs-7415591/v1/ae2597da1b014ab894fdfe39.png"},{"id":91604897,"identity":"5604a95c-9176-481e-b3e0-1f881ac3669d","added_by":"auto","created_at":"2025-09-18 09:10:47","extension":"png","order_by":9,"title":"Figure 9","display":"","copyAsset":false,"role":"figure","size":32599,"visible":true,"origin":"","legend":"\u003cp\u003eStatistical analysis representing Unlocking Time and Distance for Different Vehicles\u003c/p\u003e","description":"","filename":"9.png","url":"https://assets-eu.researchsquare.com/files/rs-7415591/v1/4c4c533526b878e2c6311817.png"},{"id":104250641,"identity":"849c6de5-cc83-42cf-a04a-93bc0794daf4","added_by":"auto","created_at":"2026-03-09 16:03:17","extension":"pdf","order_by":0,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":1478530,"visible":true,"origin":"","legend":"","description":"","filename":"manuscript.pdf","url":"https://assets-eu.researchsquare.com/files/rs-7415591/v1/4a557004-b42c-4076-bf43-a8975fce194e.pdf"}],"financialInterests":"No competing interests reported.","formattedTitle":"Vulnerability Assessment of Vehicle Access System using Software-Defined Radio (SDR): Attacks, Testing, Comparative Analysis and Future Countermeasures","fulltext":[{"header":"1 Introduction","content":"\u003cp\u003eIn the modern automotive world, vehicle access systems have transitioned from traditional mechanical keys to advanced wireless technologies such as Remote Keyless Entry (RKE) and Passive Keyless Entry (PKE). However, this shift has introduced new security challenges. The reliance on radio frequency (RF) communication systems exposes vehicles to vulnerabilities like signal interception, replay attacks, and jamming, which can compromise the security and safety of both vehicles and their owners. The fundamental principle behind most modern vehicle access systems is RF communication, where a key fob transmits a signal to a receiver in the vehicle to execute commands such as unlocking doors or starting the engine [\u003cspan citationid=\"CR2\" class=\"CitationRef\"\u003e2\u003c/span\u003e]. Another notable implementation of a keyless entry system utilizes a compact radio card transponder that communicates with the vehicle via inductive coupling through loop antennas, enabling hands-free access [\u003cspan citationid=\"CR1\" class=\"CitationRef\"\u003e1\u003c/span\u003e]. Despite these advancements, existing systems often lack comprehensive testing environments to validate resilience against RF-based attacks. While [\u003cspan citationid=\"CR15\" class=\"CitationRef\"\u003e15\u003c/span\u003e] introduced control-based immobilization, and [\u003cspan citationid=\"CR16\" class=\"CitationRef\"\u003e16\u003c/span\u003e] added facial biometrics to improve authentication, neither addressed underlying vulnerabilities in the system. Thus, this convenience is countered by the risk of unauthorized access through methods that exploit weaknesses in RF signal transmission. [\u003cspan citationid=\"CR12\" class=\"CitationRef\"\u003e12\u003c/span\u003e].\u003c/p\u003e\u003cp\u003eSoftware-Defined Radio (SDR) technology presents a unique and powerful solution to address these challenges. It is a radio communication system that performs modulation, demodulation, and filtering using software instead of dedicated hardware, and is thus used in the proposed system for analyzing and emulating vehicle access signals [\u003cspan citationid=\"CR9\" class=\"CitationRef\"\u003e9\u003c/span\u003e, \u003cspan citationid=\"CR10\" class=\"CitationRef\"\u003e10\u003c/span\u003e]. SDR allows for the flexible implementation and analysis of various communication protocols and RF signal processing through software rather than hardware. This capability is particularly advantageous in the context of vehicle\u003c/p\u003e\u003cp\u003eaccess systems, as it facilitates comprehensive testing and evaluation of RF communi- cation security. SDR can emulate different types of RF signals and protocols, enabling researchers and developers to identify potential vulnerabilities and devise effective countermeasures.\u003c/p\u003e\u003cp\u003eThe primary goal of this project is to leverage SDR to create a vehicle access sys- tem that not only identifies existing vulnerabilities in RF-based unlocking mechanisms but also proposes robust solutions to enhance security. By studying the specific pro- tocols and technologies utilized in modern keyless entry systems, the project aims to understand the potential attack vectors and develop secure unlocking mechanisms that incorporate advanced signal processing techniques, encryption, and authentication methods [\u003cspan citationid=\"CR3\" class=\"CitationRef\"\u003e3\u003c/span\u003e]. This dual approach\u0026mdash;examining both the vulnerabilities and the solutions\u0026mdash;will provide valuable insights into securing vehicular access against emerging threats.\u003c/p\u003e\u003cp\u003eThis paper will detail the design and development process of the SDR-based vehicle access system, encompassing a thorough analysis of RF communication protocols, the security threats posed by malicious actors, and the implementation of preventive measures aimed at ensuring secure vehicle access. By concluding this project, we aspire to establish the SDR platform as both a tool for testing vulnerabilities and a frame- work for creating more resilient vehicle access systems, ultimately contributing to the advancement of automotive security technologies in the face of evolving threats.\u003c/p\u003e"},{"header":"2 Vulnerabilities in remote keyless entry system","content":"\u003cp\u003eRemote Keyless Entry (RKE) systems provide significant ease of use and convenience, but they also introduce a range of security concerns. These systems function through wireless communication, which inherently carries risks that can be exploited by malicious actors. The core security vulnerabilities of RKE systems stem from the ease with which wireless signals can be captured, altered, or resent. This section explores the primary threats identified in existing literature on RKE technologies, such as relay attacks, replay attacks, and weaknesses specific to RFID-based mechanisms\u003c/p\u003e\u003cdiv id=\"Sec3\" class=\"Section2\"\u003e\u003ch2\u003e2.1 Relay Attacks\u003c/h2\u003e\u003cp\u003eAmong the most widespread and well-studied threats to RKE systems are relay attacks. In these attacks, adversaries extend the communication range between the key fob and the vehicle by using relay devices. As shown in Fig.\u0026nbsp;\u003cspan refid=\"Fig1\" class=\"InternalRef\"\u003e1\u003c/span\u003e, one device is placed close to the key fob, while another is near the car. The legitimate signal is then transmitted between the two, effectively tricking the car into believing the key fob is nearby and enabling access or ignition.\u003c/p\u003e\u003cp\u003eRelay attacks are particularly dangerous because they do not require direct access to the key fob. Attackers can execute such operations from a distance\u0026mdash;outside a home or in a parking area\u0026mdash;making detection difficult. Research indicates that these relay devices can be easily built or acquired, and they amplify key fob signals to unlock or start the vehicle from a considerable distance. This makes RKE systems, especially in high-end vehicles, attractive targets for exploitation.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec4\" class=\"Section2\"\u003e\u003ch2\u003e2.2 Replay Attacks\u003c/h2\u003e\u003cp\u003eReplay attacks are another major concern in RKE security. Here as shown in Fig.\u0026nbsp;\u003cspan refid=\"Fig2\" class=\"InternalRef\"\u003e2\u003c/span\u003e, an attacker intercepts and records the signal transmitted between the key fob and the vehicle. This recorded signal can later be played back to gain unauthorized access or start the vehicle\u0026mdash;without needing to understand or decode the signal itself [\u003cspan citationid=\"CR6\" class=\"CitationRef\"\u003e6\u003c/span\u003e, \u003cspan citationid=\"CR7\" class=\"CitationRef\"\u003e7\u003c/span\u003e].\u003c/p\u003e\u003cp\u003eStudies highlight that basic RKE implementations, especially those using static codes or minimal encryption, are highly vulnerable to such attacks. Unless systems utilize features like rolling codes or advanced encryption [\u003cspan citationid=\"CR3\" class=\"CitationRef\"\u003e3\u003c/span\u003e], captured signals can be reused multiple times. Even rolling code systems, if not properly secured, can be susceptible to replay within a short time window. Therefore, implementing time-based authentication [\u003cspan citationid=\"CR14\" class=\"CitationRef\"\u003e14\u003c/span\u003e] and secure encryption schemes is vital to safeguarding against these threats.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec5\" class=\"Section2\"\u003e\u003ch2\u003e2.3 RFID Vulnerabilities\u003c/h2\u003e\u003cp\u003eRadio Frequency Identification (RFID), which plays a key role in modern RKE systems, supports features like passive keyless entry and battery-free operation. However, it also introduces several security risks. One of the main concerns is the interception and misuse of RFID signals. Several countermeasures have been proposed to combat threats like replay and rolljam attacks, including improved authentication protocols [\u003cspan citationid=\"CR4\" class=\"CitationRef\"\u003e4\u003c/span\u003e, \u003cspan citationid=\"CR11\" class=\"CitationRef\"\u003e11\u003c/span\u003e].\u003c/p\u003e\u003cp\u003eA significant risk in RFID-enabled systems is the RollBack attack as shown in Fig.\u0026nbsp;\u003cspan refid=\"Fig3\" class=\"InternalRef\"\u003e3\u003c/span\u003e, where a malicious party records an RFID transmission and later replays it to unlock the vehicle. Despite the use of rolling codes and encryption in newer designs, systems remain vulnerable if attackers collect enough data to deduce the rolling pattern.\u003c/p\u003e\u003cp\u003eAnother attack type, RollJam, involves jamming the signal between the key fob and the vehicle receiver at the exact time of transmission. This causes desynchronization between the two, allowing the attacker to capture a valid code that can later be used to access the vehicle. Such attacks exploit flaws in the synchronization processes of some RFID systems.[\u003cspan citationid=\"CR8\" class=\"CitationRef\"\u003e8\u003c/span\u003e, \u003cspan citationid=\"CR13\" class=\"CitationRef\"\u003e13\u003c/span\u003e]\u003c/p\u003e\u003cp\u003eFurthermore, since many RFID systems transmit data using non-encrypted or weakly encrypted signals, they can be compromised using devices like the SDR systems. Even though manufacturers have made strides toward more secure RFID systems, challenges persist in embedding robust encryption and tamper-resistant measures to fully safeguard against these exploits\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003c/div\u003e"},{"header":"3 Approach and Implementation","content":"\u003cp\u003eOriginal Equipment Manufacturers (OEMs) implement a comprehensive suite of pre-launch testing procedures to validate the safety, reliability, and overall performance of vehicles prior to market deployment. These tests encompass several key domains such as Mechanical and Durability Testing to evaluate occupant safety and structural integrity. Environmental Testing to verify performance under extreme environmental conditions through temperature, humidity, high-altitude to ensure vehicle functionality across diverse geographic and climatic conditions. Electrical and Electronic Testing to mitigate electromagnetic risks, Electromagnetic Interference and Compatibility (EMI/EMC).\u003c/p\u003e\u003cp\u003eIn addition to mechanical, electrical, and environmental testing, car manufacturers should also include RF security assessments during vehicle validation. This ensures that wireless interfaces such as Remote Keyless Entry, TPMS, and V2X modules are resilient to common RF-based attacks. Integrating SDR-based testing tools and machine learning-driven intrusion detection systems into the validation workflow can significantly enhance vehicle cybersecurity readiness. Future testing should incorporate real-world scenario generation to better understand the threats as similar to [\u003cspan citationid=\"CR5\" class=\"CitationRef\"\u003e5\u003c/span\u003e].\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eThis project investigates a vehicle access system utilizing \u003cb\u003eSoftware-Defined Radio (SDR)\u003c/b\u003e to capture, analyze, and replicate key fob signals, demonstrating potential vulnerabilities in modern keyless entry systems. The system as shown in Fig.\u0026nbsp;\u003cspan refid=\"Fig4\" class=\"InternalRef\"\u003e4\u003c/span\u003e consists of several key hardware components, including a key fob that transmits an encrypted RF signal, a car receiver that authenticates and processes the signal to unlock the vehicle, an SDR DONGLE dongle that intercepts and captures the transmission, and a Raspberry Pi, which serves as the central processing unit. The Raspberry Pi decodes and processes the intercepted signal, validating it based on predefined criteria before retransmitting it via Raspberry Pi software, effectively mimicking the key fob to unlock the vehicle without physical access. The software design involves initializing the Raspberry Pi and Raspberry Pi software, setting up transmission parameters such as frequency (commonly 315 MHz or 433 MHz) and modulation type, and generating or loading the key fob signal for transmission. The system continuously monitors and adjusts transmission parameters to ensure accuracy and reliability.\u003c/p\u003e\u003cp\u003eThe experimentation phase involved setting up the required hardware and software, including installing Cubic SDR for signal capture, configuring the SDR DONGLE dongle to detect key fob transmissions. The captured signals were then processed on the Raspberry Pi, where Raspberry Pi software was used to replay the recorded transmissions at the appropriate frequency. Multiple tests were conducted to verify the consistency and effectiveness of signal replication, evaluating how vulnerable the car is.\u003c/p\u003e\u003cdiv id=\"Sec7\" class=\"Section2\"\u003e\u003ch2\u003e3.1 Capturing and Analysing key fob frequency\u003c/h2\u003e\u003cp\u003eThe initial phase of this study focused on the acquisition and analysis of the radio frequency (RF) signal emitted by a key fob. To capture the signal, we utilized a software-defined radio (SDR) setup, comprising an SDR DONGLE dongle and the CubicSDR software interface. We configured the system to monitor the 433.920 MHz frequency band, which falls within the unlicensed (ISM) band commonly used by keyless entry systems. Upon pressing the key fob button, a burst transmission was observed in the spectrum analyzer and waterfall display. A distinct peak at approximately 433.920 MHz was noted in the fast Fourier transform (FFT) view, that indicated active RF transmission. Concurrently, the waterfall plot displayed a strong vertical trace, confirming consistent signal activity during the transmission. This stage of the analysis provided critical insights into the frequency domain characteristics of the signal, validating the existence of the key fob transmission.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eThe Fig.\u0026nbsp;\u003cspan refid=\"Fig5\" class=\"InternalRef\"\u003e5\u003c/span\u003e \u003cb\u003eand\u003c/b\u003e Fig.\u0026nbsp;\u003cspan refid=\"Fig6\" class=\"InternalRef\"\u003e6\u003c/span\u003e displays Control Bar, Frequency display, Spectrum Analyzer and Waterfall display. Further illustrating parameters like; The centre frequency (433.920 MHz). This is the primary frequency the SDR is tuned to. The real time FFT display including X-axis (horizontal): Frequency range around the tuned center frequency, Y-axis (vertical): Signal strength (amplitude), shown in dB. The peak at center indicates an active and strong signal being received. The bottom display shows signal activity over time. The colours Red/Yellow indicates strong signal whereas Green/Blue indicates Weak or no signal. The bright vertical line in the middle aligns with the frequency peak above, confirming persistent transmission.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec8\" class=\"Section2\"\u003e\u003ch2\u003e3.2 Unlocking vehicle via Raspberry Pi software for Transmission\u003c/h2\u003e\u003cp\u003eAfter the successful capturing and analyzing of the key fob signal, the next phase involved the retransmission of the recorded RF signal to validate its functional integrity and assess the potential security implications. For this purpose, we utilized the Raspberry Pi software suite which is an open-source RF transmitter tool designed specifically for use with the Raspberry Pi\u0026rsquo;s GPIO as a low-power RF signal generator. The tool enables direct transmission of arbitrary RF waveforms without requiring external RF hardware, operating within frequencies ranging from 1 kHz to 500 MHz and beyond.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eThe Fig.\u0026nbsp;\u003cspan refid=\"Fig7\" class=\"InternalRef\"\u003e7\u003c/span\u003e shows the user interface of Raspberry Pi software, a software tool used on Raspberry Pi for RF experimentation. It provides multiple functionalities for working with radio signals, particularly around the 434.0 MHz ISM band. The options include: Record: Captures the RF spectrum at 434.0 MHz, Play: Replays a previously recorded spectrum, Transponder: Re-transmits a received signal on the same frequency, FM-\u0026gt;SSB: Transcodes an FM signal to Single Sideband (SSB), Set Frequency: Allows modification of the operating frequency.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eAt the final step \u003cb\u003eas shown in\u003c/b\u003e Fig.\u0026nbsp;\u003cspan refid=\"Fig8\" class=\"InternalRef\"\u003e8\u003c/span\u003e, the raspberry pi\u0026rsquo;s GPIO pin was connected to a wire antenna to facilitate transmission and upon transmitting the signal towards the car, the target vehicle successfully recognized and responded to the replayed signal, demonstrating the feasibility of signal replay attacks using minimal hardware. This step confirms the potential for replay-based access attacks, and further reinforces the importance of integrating strong security system in RF-based authentication systems.\u003c/p\u003e\u003c/div\u003e"},{"header":"4 Test Results and Comparative Analysis","content":"\u003cp\u003eWe conducted a series of unlocking attempts on four different vehicles equipped with keyless entry systems. The objective was to observe and record the time taken for the system to respond and the maximum distance from which the vehicle could be successfully unlocked. Each vehicle was tested under similar environmental conditions to ensure consistency. To ensure accurate signal detection during these attempts, normal environment detection was employed; however, in future implementations, incorporating advanced sensing techniques such as the [\u003cspan citationid=\"CR17\" class=\"CitationRef\"\u003e17\u003c/span\u003e] could improve reliability in low SNR environments and under varying noise conditions. Data such as the number of attempts required, the response time in seconds, and the corresponding distance in feet were meticulously documented. These observations aim to evaluate the efficiency, reliability, and sensitivity of the keyless entry mechanisms and highlight variations in system performance across different car models. The results were then visualized using tabular and graphical formats Table\u0026nbsp;\u003cspan refid=\"Tab1\" class=\"InternalRef\"\u003e1\u003c/span\u003e \u003cb\u003eand\u003c/b\u003e Fig.\u0026nbsp;\u003cspan refid=\"Fig9\" class=\"InternalRef\"\u003e9\u003c/span\u003e to facilitate comparative analysis and extract meaningful insights for future improvements.\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab1\" border=\"1\"\u003e\u003ccaption language=\"En\"\u003e\u003cdiv class=\"CaptionNumber\"\u003eTable 1\u003c/div\u003e\u003cdiv class=\"CaptionContent\"\u003e\u003cp\u003eComparison of Keyless Entry Activation Parameters\u003c/p\u003e\u003c/div\u003e\u003c/caption\u003e\u003ccolgroup cols=\"4\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"char\" char=\".\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cdiv align=\"char\" char=\".\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e\u003cdiv align=\"char\" char=\".\" class=\"colspec\" colname=\"c4\" colnum=\"4\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eCar No. and type\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eAttempt(s)\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c3\"\u003e\u003cp\u003eTime(sec)\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c4\"\u003e\u003cp\u003eDistance(feet)\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eCar1: LMV 1\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c2\"\u003e\u003cp\u003e1\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e\u003cp\u003e2\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c4\"\u003e\u003cp\u003e7\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eCar2: LMV 2\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c2\"\u003e\u003cp\u003e1\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e\u003cp\u003e1\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c4\"\u003e\u003cp\u003e35\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eCar3: SEDAN\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c2\"\u003e\u003cp\u003e2\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e\u003cp\u003e5\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c4\"\u003e\u003cp\u003e20\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eCar4: SUV\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c2\"\u003e\u003cp\u003e1\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c3\"\u003e\u003cp\u003e2\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"char\" char=\".\" colname=\"c4\"\u003e\u003cp\u003e10\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cdiv id=\"Sec10\" class=\"Section2\"\u003e\u003ch2\u003e4.1 Observations \u0026amp; Insights\u003c/h2\u003e\u003cp\u003eRemote Signal Sensitivity and Range: The results indicate a substantial variation in the sensitivity and operational range of keyless entry systems among the tested vehicles. Car 2 exhibited the highest responsiveness, with activation occurring at a distance of 35 feet and a response time of 1 second. This implies a high degree of convenience but may raise concerns regarding potential susceptibility to relay attacks.\u003c/p\u003e\u003cp\u003eConsistency and System Reliability: Car 3 required a second attempt to successfully register the unlocking signal, with a high response time of 5 seconds. This inconsistency suggests a lack of robustness in the signal processing or potential environmental interference, which can negatively impact user experience and system reliability.\u003c/p\u003e\u003cp\u003eSecurity-Convenience Trade-Off: The shorter range and moderate response times of Car 1 and Car 4 suggest a design emphasis on enhanced security. By limiting the activation range, these vehicles may offer improved protection against unauthorized remote access. However, this comes at the cost of reduced user convenience.\u003c/p\u003e\u003cp\u003eDesign Implications for Keyless Entry Systems: The findings underscore the need for manufacturers to balance performance metrics\u0026mdash;such as response time and activation distance\u0026mdash;with security requirements. High sensitivity systems must integrate additional layers of verification, such as proximity authentication or dynamic encryption, to mitigate risks.\u003c/p\u003e\u003c/div\u003e"},{"header":"5 Future Suggestions","content":"\u003cp\u003eUltra-Wideband (UWB) Technology for Keyless Entry\u003c/p\u003e\u003cp\u003eUWB operates over a wide frequency spectrum (3.1\u0026ndash;10.6 GHz) and uses time-of-flight (ToF) measurements to determine the precise distance between the key and vehicle.\u003c/p\u003e\u003cp\u003eRelay attacks fail because the system checks distance and direction, not just signal presence.\u003c/p\u003e\u003cp\u003eAI/ML-based RF Intrusion Detection Systems (IDS)\u003c/p\u003e\u003cp\u003eWorking: Collects RF data (I/Q samples, frequency, signal strength) and trains ML models (SVMs, CNNs, RNNs) to detect anomalies or known attack signatures. Can detect subtle jamming, spoofing, or unexpected signal sources before they cause harm.\u003c/p\u003e\u003cp\u003eEncrypted \u0026amp; Authenticated RF Communication\u003c/p\u003e\u003cp\u003eWorking: Adds symmetric or asymmetric cryptography (AES-128, ECC) to wireless messages (e.g., from TPMS sensors, key fobs, V2X units).\u003c/p\u003e\u003cp\u003eWhy it helps: Prevents replay/spoof attacks by requiring fresh encrypted messages with nonce or token-based challenge-response.\u003c/p\u003e\u003cp\u003ePhysical Layer Authentication (RF Fingerprinting)\u003c/p\u003e\u003cp\u003eWorking: Extracts device-specific features (amplitude imbalance, IQ offset, phase noise) to create a unique fingerprint.\u003c/p\u003e\u003cp\u003eWhy it helps: Even if an intruder copies the signal, they can\u0026rsquo;t replicate these tiny hardware imperfections.\u003c/p\u003e"},{"header":"6 Conclusion","content":"\u003cp\u003eRemote Keyless Entry (RKE) systems have transformed vehicle access and security by providing increased convenience, usability, and an enhanced user experience. However, these technological advancements have also introduced critical security vulnerabilities that may be exploited by malicious actors. Consequently, there is a pressing need to develop and implement robust security measures to safeguard vehicles against unauthorized access and theft. This experimental setup serves as a foundational platform for conducting RF-based vulnerability assessments such as replay attacks as stated in this paper. By leveraging this framework, manufacturers can systematically evaluate the susceptibility of their vehicles to various wireless threats. Such analyses not only aid in identifying and mitigating vulnerabilities but also help manufacturers establish themselves as robust and secure brands through quantifiable performance metrics and security validations.\u003c/p\u003e"},{"header":"Declarations","content":"\u003ch2\u003eFunding\u003c/h2\u003e\u003cp\u003eThis research received no external funding.\u003c/p\u003e\u003ch2\u003eAuthor Contribution\u003c/h2\u003e\u003cp\u003eI.S and S.B analyzed the results and drafted and structured the manuscript, and handled literature review and editing.V.S and R.S designed the system architecture, contributed to hardware prototyping, and guided the experimental design.V.B and V.H conducted data collection, Carried out troubleshooting and prepared figures for the manuscript.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eDisclaimer\u003c/strong\u003e: This research is conducted purely for academic and educational purposes to study wireless security vulnerabilities. All tests were performed in a controlled environment, with no intent to harm or exploit real-world systems. The techniques discussed are not intended for malicious use.\u003c/p\u003e"},{"header":"References","content":"\u003col\u003e\n\u003cli\u003eM. Hirano and M. Takeuchi, \u0026quot;Keyless Entry System with Radio Card Transponder,\u0026quot; \u003cem\u003eIEEE Transactions On Industrial Electronics,\u003c/em\u003e Vol. 35, No. 2, May 1988.\u003c/li\u003e\n\u003cli\u003eA. Divya and S. Ponmaniraj, \u0026quot;Smart Locking and Unlocking System for Vehicle Theft Control,\u0026quot; \u003cem\u003eIJCRT,\u003c/em\u003e Vol. 9, Issue 8, August 2021.\u003c/li\u003e\n\u003cli\u003eMarin Aranitasi, \u0026quot;Increasing the vehicle security by improving the Remote Key System,\u0026quot; \u003cem\u003eInternational Journal of Engineering Research and Applications,\u003c/em\u003e Vol. 12, Issue 4, (Series-III) April 2022.\u003c/li\u003e\n\u003cli\u003eR. P. Parameswarath and B. Sikdar, \u0026quot;An Authentication Mechanism for Remote Keyless Entry Systems in Cars to Prevent Replay and RollJam Attacks,\u0026quot; 2022 IEEE Intelligent Vehicles Symposium (IV), Aachen, Germany, 2022, pp. 1725-1730, doi: 10.1109/IV51971.2022.9827256.\u003c/li\u003e\n\u003cli\u003eSong, A. Bensoussan, and M. R. Mousavi, \u0026ldquo;Synthetic versus real: an analysis of critical scenarios for autonomous vehicle testing,\u0026rdquo; \u003cem\u003eAutomated Software Engineering\u003c/em\u003e, vol. 32, 2025\u003c/li\u003e\n\u003cli\u003eCNSSI 4009 Committee on National Security Systems (CNSS) Glossary, 2015, p. 103 [Online].\u003c/li\u003e\n\u003cli\u003eM. Dibaei, et al., Attacks and defences on intelligent connected vehicles: a survey, Digit. Commun. Networks 6 (4) (Nov. 2020) 399\u0026ndash;421, https://doi.org/10.1016/j. dcan.2020.04.007. Chongqing University of Posts and Telecommunications.\u003c/li\u003e\n\u003cli\u003eMagda, Devon \u0026amp; Payne, Bryson. (2023). \u0026ldquo;RFID Key Fobs in Vehicles: Unmasking Vulnerabilities and Strengthening Security.\u0026rdquo; 10.32727/28.2024.3.\u003c/li\u003e\n\u003cli\u003eVijay K. Garg, Chapter 23 - fourth generation systems and new wireless technologies, in: Vijay K. Garg (Ed.), The Morgan Kaufmann Series in Networking, Wireless Communications \u0026amp; Networking, Morgan Kaufmann, 2007, https://doi. org/10.1016/B978-012373580-5/50057-0, 23-1-23-22, ISSN 18759351, ISBN 9780123735805.\u003c/li\u003e\n\u003cli\u003eI.T. Union, Definitions of software defined radio (SDR) and cognitive radio system (CRS) SM series, SM Ser. Spectr. Manag. 2152 (2009) 328\u0026ndash;337 [Online]. Available: https://www.itu.int/dms_pub/itu-r/opb/rep/R-REP-SM.2152-2009-PDF-E.pdf.\u003c/li\u003e\n\u003cli\u003eZ. Depp, H. B. Tulay, and C. E. Koksal, \u003cem\u003e\u0026quot;Enhanced Vehicular Roll-Jam Attack using a Known Noise Source,\u0026quot;\u003c/em\u003e Symposium on Vehicles Security and Privacy (VehicleSec), San Diego, CA, USA, Feb. 2023. [Online]. Available: https://dx.doi.org/10.14722/vehiclesec.2023.23037.\u003c/li\u003e\n\u003cli\u003eM.-k. Choi, R. J. Robles, C.-h. Hong, and T.-h. Kim, \u0026ldquo;Wireless Network Security: Vulnerabilities, Threats and Countermeasures,\u0026rdquo; \u003cem\u003eInternational Journal of Multimedia and Ubiquitous Engineering\u003c/em\u003e, vol. 3, no. 3, pp. 77\u0026ndash;86, Jul. 2008.\u003c/li\u003e\n\u003cli\u003eF. Thornton and C. Lanthem, \u003cem\u003eRFID Security\u003c/em\u003e. Rockland, MA, USA: Syngress, 2006\u003c/li\u003e\n\u003cli\u003eK. Greene and D. Rodgers, \u0026quot;Timestamp-based Defense Mechanism Against Replay Attack,\u0026quot; IEEE International Conference on Consumer Electronics (ICCE), 2020.\u003c/li\u003e\n\u003cli\u003eB. Davis and R. DeLong, \u0026quot;Combined remote key control and immobilization system for vehicle security,\u0026quot; Power Electronics in Transportation, Dearborn, MI, USA, 1996, pp. 125-132.\u003c/li\u003e\n\u003cli\u003eS. Padmapriya and E. A. KalaJames, \u0026quot;Real time smart car lock security system using face detection and recognition,\u0026quot; 2012 International Conference on Computer Communication and Informatics, Coimbatore, India, 2012, pp. 1-6, doi: 10.1109/ICCCI.2012.6158802.\u003c/li\u003e\n\u003cli\u003eS. D. Borde and K. R. Joshi, \u0026ldquo;Enhanced Wideband Spectrum Sensing Algorithm for Analysis of GSM Band,\u0026rdquo; \u003cem\u003eWireless Personal Communications\u003c/em\u003e, vol. 121, pp. 2145\u0026ndash;2158, Dec. 2021, doi: 10.1007/s11277-021-08814-4.\u003c/li\u003e\n\u003c/ol\u003e"}],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":true,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":false,"hideJournal":false,"highlight":"","institution":"","isAcceptedByJournal":true,"isAuthorSuppliedPdf":false,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":false,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"
[email protected]","identity":"journal-of-transportation-security","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":false,"externalIdentity":"jtrs","sideBox":"Learn more about [Journal of Transportation Security](http://link.springer.com/journal/12198)","snPcode":"12198","submissionUrl":"https://submission.nature.com/new-submission/12198/3","title":"Journal of Transportation Security","twitterHandle":"","acdcEnabled":true,"dfaEnabled":true,"editorialSystem":"em","reportingPortfolio":"Springer Hybrid","inReviewEnabled":true,"inReviewRevisionsEnabled":false},"keywords":"Vehicle vulnerabilities, Software- Defined Radio, RFID, Replay attack","lastPublishedDoi":"10.21203/rs.3.rs-7415591/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-7415591/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"\u003cp\u003eRemote Keyless Entry systems have become an integral component of contemporary vehicles, enhancing user convenience while simultaneously posing potential security challenges. However, with this convenience comes a growing concern over potential security vulnerabilities, particularly those involving radio frequency (RF) attacks such as replay attacks, relay attacks, and signal jamming. This research paper investigates the vulnerabilities of RKE systems across multiple car models, evaluating their susceptibility to RF-based exploits. Our testing results reveal significant disparities in the security robustness of different car models, highlighting the need for improved encryption protocols and signal authentication mechanisms. This study provides a comparative analysis of RKE vulnerabilities, offering insights into the current state of automotive security and proposing recommendations for mitigating risks associated with RF attacks. By offering a comparative analysis of performance and security parameters, this research aims to inform automotive manufacturers, cybersecurity experts, and consumers about the inherent risks associated with current RKE implementations and to advocate for the development and adoption of more secure vehicular access technologies.\u003c/p\u003e","manuscriptTitle":"Vulnerability Assessment of Vehicle Access System using Software-Defined Radio (SDR): Attacks, Testing, Comparative Analysis and Future Countermeasures","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2025-09-18 09:10:42","doi":"10.21203/rs.3.rs-7415591/v1","editorialEvents":[{"type":"communityComments","content":0},{"type":"decision","content":"Accepted","date":"2026-02-13T21:59:39+00:00","index":"","fulltext":""},{"type":"reviewerAgreed","content":"325373597284859822514387650677040705896","date":"2025-09-13T08:02:11+00:00","index":"hide","fulltext":""},{"type":"reviewersInvited","content":"","date":"2025-09-10T21:22:22+00:00","index":"","fulltext":""},{"type":"editorAssigned","content":"","date":"2025-08-22T17:49:49+00:00","index":"","fulltext":""},{"type":"checksComplete","content":"","date":"2025-08-22T04:12:29+00:00","index":"","fulltext":""},{"type":"submitted","content":"Journal of Transportation Security","date":"2025-08-20T09:02:04+00:00","index":"","fulltext":""}],"status":"published","journal":{"display":true,"email":"
[email protected]","identity":"journal-of-transportation-security","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":false,"externalIdentity":"jtrs","sideBox":"Learn more about [Journal of Transportation Security](http://link.springer.com/journal/12198)","snPcode":"12198","submissionUrl":"https://submission.nature.com/new-submission/12198/3","title":"Journal of Transportation Security","twitterHandle":"","acdcEnabled":true,"dfaEnabled":true,"editorialSystem":"em","reportingPortfolio":"Springer Hybrid","inReviewEnabled":true,"inReviewRevisionsEnabled":false}}],"origin":"","ownerIdentity":"499f2fb2-9911-4075-a6d5-8da7c85fcebb","owner":[],"postedDate":"September 18th, 2025","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"published-in-journal","subjectAreas":[],"tags":[],"updatedAt":"2026-03-09T16:01:09+00:00","versionOfRecord":{"articleIdentity":"rs-7415591","link":"https://doi.org/10.1007/s12198-026-00336-z","journal":{"identity":"journal-of-transportation-security","isVorOnly":false,"title":"Journal of Transportation Security"},"publishedOn":"2026-03-02 15:57:30","publishedOnDateReadable":"March 2nd, 2026"},"versionCreatedAt":"2025-09-18 09:10:42","video":"","vorDoi":"10.1007/s12198-026-00336-z","vorDoiUrl":"https://doi.org/10.1007/s12198-026-00336-z","workflowStages":[]},"version":"v1","identity":"rs-7415591","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-7415591","identity":"rs-7415591","version":["v1"]},"buildId":"8U1c8b4HqxoKbykW_rLl7","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}
Text is read by the "Ask this paper" AI Q&A widget below.
Extraction quality varies by source — PMC NXML preserves structure
cleanly, OA-HTML may include some navigation residue, and OA-PDF can
have broken hyphenation. The publisher copy
(via DOI)
is the canonical version.