2021 CX-5 Key Battery Low

[N7turbo]

Yes, they are always transmitting the low frequency field seen in the diagram. When a key fob enters the field, an encrypted exchange between fob and car begins to determine if the fob is one that is stored in the computer. (I think the computer can store up to four) If it is, the door can be unlocked and the car started once it enters the interior of the vehicle.

But why is this needed at all? That can be determined once the unlock button is pressed.

Door unlock button pressed -> call out to fob via nearfield, fob responds, unlock occurs
Fob unlock button pressed -> call out to car, unlock occurs

In fact that is exactly what happens when I am walking to my car after work every day. I am 100 feet away, no where near this near-field bubble.

 

[N7turbo]

The fob (while it can vary depending on the system) is typically in a low-power state so that it can determine when it enters a vehicle's keyless entry zone. This is why a Faraday box is necessary for the fob as the bad actors can extend the range of the vehicle's keyless entry zone and trick the fob into beginning the exchange. The Faraday box will block the low-power signal from the fob and also prevent the signal from the vehicle from reaching it.

I thought the relay attacks use a powered repeater (antenna) to amplify the broadcast signal from the car, when the unlock button is pressed on the door? Simply amplifying the signal by standing near the door isn't enough to open the door without an unlock command.

 

[MrViking]

But why is this needed at all? That can be determined once the unlock button is pressed.

Door unlock button pressed -> call out to fob via nearfield, fob responds, unlock occurs
Fob unlock button pressed -> call out to car, unlock occurs

In fact that is exactly what happens when I am walking to my car after work every day. I am 100 feet away, no where near this near-field bubble.

The whole idea is to not have to push a button. Consider a woman whose fob is in the murky depths of her purse. She doesn't have to go on an adventure finding it. She only has to walk up to the car and press a button or slide a hand through the door handle.

There's not much point to if if you have to manually activate it by pressing a button.

When you use the buttons, a similar thing happens but it's manually initiated rather than automatically. So here's a summary of the two systems:

In many keyless entry systems, pushing a button on the fob for remote locking/unlocking and the passive keyless entry (PKE) system use different communication frequencies and protocols. Here's how they typically differ:

1. Remote Lock/Unlock (Button Press):
Frequency Range: Typically operates on a frequency of 315 MHz (North America) or 433 MHz (Europe and other regions), depending on local regulations.

Transmission Mode: When you press a button, the fob sends a high-power signal to the car to lock, unlock, or perform other functions like opening the trunk or triggering the alarm.

Signal Type: It usually sends an encoded one-way communication, where the fob transmits a command, and the car receives it. In that signal, the fob identifies itself. If the identity is stored by the vehicle, it performs the function based on the button pressed.

2. Passive Keyless Entry (PKE):

Frequency Range: Operates on a combination of low-frequency (LF) signals (usually 125 kHz) for proximity detection and high-frequency (HF) signals (315/433 MHz or 868 MHz) for communication.

LF (125 kHz): The car emits a low-frequency signal to detect the presence of the fob.
HF (315/433 MHz): The fob responds to the car's query when detected.

Transmission Mode: This system involves bi-directional communication. The car and the fob exchange signals to authenticate and enable actions like unlocking the doors or starting the engine.

Why Different Frequencies?

Power Efficiency: Button-press signals are stronger and use more power since they must work over longer distances. PKE systems use low-power signals to conserve battery life.

Functionality: PKE systems require short-range, precise communication to ensure the car only unlocks when the fob is nearby, while remote button presses must work from a distance (e.g., across a parking lot).

Security: Using different frequencies for different functions makes it harder for malicious actors to intercept and misuse signals.

 

[MrViking]

I thought the relay attacks use a powered repeater (antenna) to amplify the broadcast signal from the car, when the unlock button is pressed on the door? Simply amplifying the signal by standing near the door isn't enough to open the door without an unlock command.

While the relay attack does use a repeater, it's not the button being pressed that initiates it. The bad actor initiates it when they are in the zone show in the diagram. The button is inactive until a valid fob is detected within the zone. The attack extends the zone that's shown in the previous diagram but not in the shame shape as it's beamed at a much higher power directly to the person who is closer to the remote. The fob, believing that it is now in the zone responds as it would if it actually were right next to the vehicle. That signal is forwarded back to the vehicle which also believes the fob to next to the vehicle.

In computer terms, it's similar to a man-in-the-middle attack.

 

[Conrad 16.5]

Yes, they are always transmitting the low frequency field seen in the diagram. When a key fob enters the field, an encrypted exchange between fob and car begins to determine if the fob is one that is stored in the computer. (I think the computer can store up to four) If it is, the door can be unlocked and the car started once it enters the interior of the vehicle.

The fob (while it can vary depending on the system) is typically in a low-power state so that it can determine when it enters a vehicle's keyless entry zone. This is why a Faraday box is necessary for the fob as the bad actors can extend the range of the vehicle's keyless entry zone and trick the fob into beginning the exchange. The Faraday box will block the low-power signal from the fob and also prevent the signal from the vehicle from reaching it. A Faraday box is better than some kind of metal can or box as both the material and size of the mesh are critical in the range of frequencies that are blocked. Faraday cages are designed to block radio waves. Metal boxes are not.

If the system operates as you say, then why do we need to press a button at all?

As soon as the car senses your fob nearby, the doors should be able to unlock automatically. This could be an option that the user sets up in the lock behavior section of the infotainment system.

Our Mazdas can't do this, but some higher end cars can. I know that the fact that our cars can't do this is not definitive proof that the system does not operate as you think but it's a pretty good indicator.

You mentioned the research you did prior to buying a keyless entry car. I'd love to see your links as to how these things work. I certainly could be wrong, but I don't think so.

 

[MrViking]

It a huge security issue to have the car unlock anytime you're near it. That's why there's a button ion the door handle so it unlocks only when you want it to. In my Camry, you simply have to slip your hand into the door handle. Mazda is way behind by having a button. they should have updated that by now. I agree you might has well push the button on the fob if you have to push a button anyway. But doing that each time would shorten batter life.

There is an option on the CX-5 to automatically lock when you leave so it will lock when your fob is no longer detected in the zone. You could experiment with it by setting that option and then seeing how far you have to walk away before it locks. Could they have an option to unlock when the fob is in the zone? Sure but it's a huge security/safety issue so they chose not to do it. TBH, I'm not familiar with brands that do have the auto-unlock based on proximity.

Here's the Wikipedia link with all the citations and the links at the bottom. I'm sure there's other articles as well.

Remote keyless system - Wikipedia

en.wikipedia.org

 

[RedBaron]

In my Camry, you simply have to slip your hand into the door handle. Mazda is way behind by having a button. they should have updated that by now.

My CX-50 has a touch sensor area inside the door handle for unlock, and a smaller one on the outside for lock. I imagine the next CX-5 refresh will do the same.

 

[Conrad 16.5]

It a huge security issue to have the car unlock the car anytime you're near it. That's why there's a button ion the door handle so it unlocks only when you want it to. In my Camry, you simply have to slip your hand into the door handle. Mazda is way behind by having a button. they should have updated that by now. I agree you might has well push the button on the fob if you have to push a button anyway. But doing that each time would shorten batter life.

There is an option on the CX-5 to automatically lock when you leave so it will lock when your fob is no longer detected in the zone. You could experiment with it by setting that option and then seeing how far you have to walk away before it locks. Could they have an option to unlock when the fob is in the zone? Sure but it's a huge security/safety issue so they chose not to do it. TBH, I'm not familiar with brands that do have the auto-unlock based on proximity.

Here's the Wikipedia link with all the citations and the links at the bottom. I'm sure there's other articles as well.

Remote keyless system - Wikipedia

en.wikipedia.org

You may want to go ahead and reread the link you gave. Nowhere in that article does it state that the system operates in the way that you suggest. Just the opposite in fact.

As for the security risk of having the doors automatically unlock on approach? That's true but that's why automatic unlock on approach would be an option, if available. Just as the other locking and unlocking behaviors are an option.

 

[MrViking]

You may want to go ahead and reread the link you gave. Nowhere in that article does it state that the system operates in the way that you suggest. Just the opposite in fact.

As for the security risk of having the doors automatically unlock on approach? That's true but that's why automatic unlock on approach would be an option, if available. Just as the other locking and unlocking behaviors are an option.

Sorry about that link. It mentions it but gives no explanation. Try this one.

What is passive keyless entry (PKE)? | Definition from TechTarget

Learn how passive keyless entry (PKE) systems offer hands-free vehicle access with advanced security features and are now integrated with smart devices.

www.techtarget.com

 

[Conrad 16.5]

Passive Key Enty System.

I read your link and the one thing that was said on this subject was this.

"The PKE key fob and the vehicle module both contain transceivers that communicate wirelessly to detect each other. The module in the vehicle continually sends out encoded messages; when the key fob is in range, it responds. If the encrypted messages are correct, they identify the vehicle and key fob to each other, and the door unlocks."

I see it there but I'm still not believing that the system works in this way. Why would the system continually broadcast? That signal right there may allow the bad guys to gain access. If that signal is not available, the system is more secure.

Mazda calls their system Advanced Keyless Enty System. Does that differ from the PKE system? I believe that it does.

 

[MrViking]

There's little battery drain on the car to keep the zone always in place. Big battery, little zone the uses very little power. The fob is also is in a low power mode until it is in the zone.

As far as the signal being there around the car all the time? Your home wireless is there for anyone to steal and it advertises that it's there for the taking! But they can't because there's security protocols employed to prevent it. Unless they have specific tools to do so, they have no access. Sound familiar? It's also no different than a bad guy walking up to your computer and trying to log in. To do so they need your password and your cell or email if you have MFA turned on. In more secure environments, even with that, only specific devices are allowed access. Most cars have only 4 spots for key fob IDs. So unless some can spoof you fob ID or trick your car or fob into thinking the fob is in the "zone", there's no way to unlock or start the car via the fob.

Other than that, I don't know what to tell you other than it's your prerogative to think whatever you want. I have no beef whatsoever with that and for all I know, I'm being trolled and playing right along.

 

[Conrad 16.5]

There's little battery drain on the car to keep the zone always in place. Big battery, little zone the uses very little power. The fob is also is in a low power mode until it is in the zone.

As far as the signal being there around the car all the time? Your home wireless is there for anyone to steal and it advertises that it's there for the taking! But they can't because there's security protocols employed to prevent it. Unless they have specific tools to do so, they have no access. Sound familiar? It's also no different than a bad guy walking up to your computer and trying to log in. To do so they need your password and your cell or email if you have MFA turned on. In more secure environments, even with that, only specific devices are allowed access. Most cars have only 4 spots for key fob IDs. So unless some can spoof you fob ID or trick your car or fob into thinking the fob is in the "zone", there's no way to unlock or start the car via the fob.

Other than that, I don't know what to tell you other than it's your prerogative to think whatever you want. I have no beef whatsoever with that and for all I know, I'm being trolled and playing right along.

There is NO reason to have the car constantly broadcasting a signal, NONE.

I'll agree to disagree on this. In the long run, it makes no difference.