Fast, furious and insecure: passive keyless entry and start systems in modern supercars

Lennert Wouters, Eduard Marin, Tomer Ashur, Benedikt Gierlichs, Bart Preneel

Research output: Contribution to journalArticleAcademicpeer-review

25 Citations (Scopus)
586 Downloads (Pure)


The security of immobiliser and Remote Keyless Entry systems has been extensively studied over many years. Passive Keyless Entry and Start systems, which are currently deployed in luxury vehicles, have not received much attention besides relay attacks. In this work we fully reverse engineer a Passive Keyless Entry and Start system and perform a thorough analysis of its security.
Our research reveals several security weaknesses. Specifically, we document the use of an inadequate proprietary cipher using 40-bit keys, the lack of mutual authentication in the challenge-response protocol, no firmware readout protection features enabled and the absence of security partitioning.
In order to validate our findings, we implement a full proof of concept attack allowing us to clone a Tesla Model S key fob in a matter of seconds with low cost commercial off the shelf equipment. Our findings most likely apply to other manufacturers of luxury vehicles including McLaren, Karma and Triumph motorcycles as they all use the same system developed by Pektron.
Original languageEnglish
Pages (from-to)66-85
Number of pages20
JournalIACR Transactions on Cryptographic Hardware and Embedded Systems
Issue number3
Publication statusPublished - 9 May 2019
Externally publishedYes


  • Tesla
  • McLaren
  • Karma
  • Triumph
  • Pektron
  • DST40
  • Digital Signature Transponder
  • Reverse engineering
  • Passive Keyless Entry and Start


Dive into the research topics of 'Fast, furious and insecure: passive keyless entry and start systems in modern supercars'. Together they form a unique fingerprint.

Cite this