Polestar Forum banner
1 - 20 of 135 Posts

·
Registered
Joined
·
764 Posts
Discussion Starter · #1 ·
We have discussed keyfob security before. I decided to create a new thread as the previous one is full of speculation and some misinformation. For completeness, here is a link to that thread for those interested. That discussion started before I had my Polestar 2 and I was asking if the Polestar Keyfobs are of the "sleeping" kind.

Some forum members, myself included have done some experiments and have previously concluded that the keys do not have motion sensors in them, I have done some more investigation and will detail my findings here. I am also going to follow up with polestar to hopefully get some questions answered.

But first: some background for those unfamiliar with the technology and the issue, skip if you're familiar with how keyless entry works and how relay attacks work.
Since "keyless entry" and "keyless drive" was introduced to cars, there has been a vulnerability with the keys which has been exploited by thieves. To keep it simple, the technology works by the car sending out a signal when someone tries to open or start the car. If the key is within radio range (a meter or two usually) then the key will respond to this signal with an answer to the car's request. The signal itself is reasonably robust against attacks. It's not just a simple ID which could be intercepted and replayed by a potential thief. There's cryptographic things going on which makes it very difficult and impractical to copy or "impersonate" a key.

BUT Thefts are still happening. This is because although the key can't be copied, it's is possible for a thief to intercept the car's request to unlock/start and relay that signal over a long distance to within range of the key and equally relay the key's response back to the car. The typical scenario here is where the owner is at home and have left their car keys close to the front door. The thieves (at least two usually) have equipment to carry out the attack. One stands by the car with one half of the equipment, and the other stands by the front door of the house. They then try top open the car. the equipment they use then relays the signals between the car and the key so that the car is satisfied and thinks that the key is present and then opens/starts. Once started, the car can be driven without the key. Although the car will complain that the key is no longer present, it will not shut off for safety reasons.

The solution to this that has been implemented by manufacturers (first by Ford) is to put the key into a "sleep" mode after the key has stopped moving for some time. In the sleep mode it will not respond to any radio signals. This means that you could put the key down by your front door and it will just go to sleep and be secure. The relay attack would then not work.

My investigation

I know that all 2021 model year Volvos have these "sleeping" keyfobs, On this forum we have previously tested and arrived at the conclusion that these are not supplied with Polestar, I think someone even had confirmation from customer services to that effect however don't quote me on that.

I have been very frustrated by this and have become increasingly confused as to why they wouldn't use these newer keys. I decided to compare the keys of my Polestar with those of my 2018 Volvo V90 before it is taken away this week (end of lease on the Volvo).

Here's the Large keys, Volvo on top, Polestar on bottom:
3363


And the active key, Volvo on top, Polestar on bottom:
3364


Here we see that the part numbers are of course different. Volvo part numbers are 8 digits long and always begin with 3. This makes sense as every variant of a part has a different number. So even if they had he same hardware inside, they have different outer shells, one with VOLVO on it one with the Citroen Polestar logo on it.

But we also see a model number, This is the hardware model according to the OEM Huf Hülsbeck & Fürst. Here they are transcribed:

Main Key
Volvo: HUF8423
Polestar: HUF8423MS

Active Key
Volvo: HUF8432
Polestar: HUF8432MS

As you can see. These parts are almost identical, with the Polestar key seeming to be some sort of variation of the Volvo key. What is this MS? some googling suggests that MS means...... drumroll............. Motion Sensor.

Sure enough, a search for the active key parts reveals the FCC filing documents including the user manual for the key:

Manual for the MS part: here
Manual for the non-MS part: here

To save you a read. The main difference between these two documents is the addition of the following paragraph:

"Relay-Station-Attack (RSA) countermeasure: when the Tag ID has been stationary without movement for a defined time (timer configurable), the motion sensor will deactivate the LF front end in the Tag ID and will not react to Keyless Entry or Start LF triggers from the vehicle. Only when motion has been detected by the implemented motion sensor, the LF front end of the Tag ID will become active for a defined time."

The same difference is present in the main key manual.

I think this is pretty clear that the keys for the Polestar 2 do in fact have motion sensors and will enter a sleep mode after some time of inactivity. The unclear part is how long it takes to enter this sleep mode. The manual only states "for a defined time". I will contact Polestar to try to get an answer to this. It it also unclear at this time why no forum member has yet been able to prove through experimentation that this sleeping functionality is actually working.

For the curious, the manual also explains how the key continues to work in the event of a dead battery.

What does this mean?

Well, depending on how long it takes to enter sleep mode, it could be that those scaredy-pants who have bought faraday pouches are unnecessarily adding inconvenience to their lives. In the end, it doesn't hurt to use them, that's your choice.
 

·
Registered
Non PP, Midnight, Load Bars
Joined
·
138 Posts
We have discussed keyfob security before. I decided to create a new thread as the previous one is full of speculation and some misinformation. For completeness, here is a link to that thread for those interested. That discussion started before I had my Polestar 2 and I was asking if the Polestar Keyfobs are of the "sleeping" kind.

Some forum members, myself included have done some experiments and have previously concluded that the keys do not have motion sensors in them, I have done some more investigation and will detail my findings here. I am also going to follow up with polestar to hopefully get some questions answered.

But first: some background for those unfamiliar with the technology and the issue, skip if you're familiar with how keyless entry works and how relay attacks work.
Since "keyless entry" and "keyless drive" was introduced to cars, there has been a vulnerability with the keys which has been exploited by thieves. To keep it simple, the technology works by the car sending out a signal when someone tries to open or start the car. If the key is within radio range (a meter or two usually) then the key will respond to this signal with an answer to the car's request. The signal itself is reasonably robust against attacks. It's not just a simple ID which could be intercepted and replayed by a potential thief. There's cryptographic things going on which makes it very difficult and impractical to copy or "impersonate" a key.

BUT Thefts are still happening. This is because although the key can't be copied, it's is possible for a thief to intercept the car's request to unlock/start and relay that signal over a long distance to within range of the key and equally relay the key's response back to the car. The typical scenario here is where the owner is at home and have left their car keys close to the front door. The thieves (at least two usually) have equipment to carry out the attack. One stands by the car with one half of the equipment, and the other stands by the front door of the house. They then try top open the car. the equipment they use then relays the signals between the car and the key so that the car is satisfied and thinks that the key is present and then opens/starts. Once started, the car can be driven without the key. Although the car will complain that the key is no longer present, it will not shut off for safety reasons.

The solution to this that has been implemented by manufacturers (first by Ford) is to put the key into a "sleep" mode after the key has stopped moving for some time. In the sleep mode it will not respond to any radio signals. This means that you could put the key down by your front door and it will just go to sleep and be secure. The relay attack would then not work.

My investigation

I know that all 2021 model year Volvos have these "sleeping" keyfobs, On this forum we have previously tested and arrived at the conclusion that these are not supplied with Polestar, I think someone even had confirmation from customer services to that effect however don't quote me on that.

I have been very frustrated by this and have become increasingly confused as to why they wouldn't use these newer keys. I decided to compare the keys of my Polestar with those of my 2018 Volvo V90 before it is taken away this week (end of lease on the Volvo).

Here's the Large keys, Volvo on top, Polestar on bottom:
View attachment 3363

And the active key, Volvo on top, Polestar on bottom:
View attachment 3364

Here we see that the part numbers are of course different. Volvo part numbers are 8 digits long and always begin with 3. This makes sense as every variant of a part has a different number. So even if they had he same hardware inside, they have different outer shells, one with VOLVO on it one with the Citroen Polestar logo on it.

But we also see a model number, This is the hardware model according to the OEM Huf Hülsbeck & Fürst. Here they are transcribed:

Main Key
Volvo: HUF8423
Polestar: HUF8423MS

Active Key
Volvo: HUF8432
Polestar: HUF8432MS

As you can see. These parts are almost identical, with the Polestar key seeming to be some sort of variation of the Volvo key. What is this MS? some googling suggests that MS means...... drumroll............. Motion Sensor.

Sure enough, a search for the active key parts reveals the FCC filing documents including the user manual for the key:

Manual for the MS part: here
Manual for the non-MS part: here

To save you a read. The main difference between these two documents is the addition of the following paragraph:

"Relay-Station-Attack (RSA) countermeasure: when the Tag ID has been stationary without movement for a defined time (timer configurable), the motion sensor will deactivate the LF front end in the Tag ID and will not react to Keyless Entry or Start LF triggers from the vehicle. Only when motion has been detected by the implemented motion sensor, the LF front end of the Tag ID will become active for a defined time."

The same difference is present in the main key manual.

I think this is pretty clear that the keys for the Polestar 2 do in fact have motion sensors and will enter a sleep mode after some time of inactivity. The unclear part is how long it takes to enter this sleep mode. The manual only states "for a defined time". I will contact Polestar to try to get an answer to this. It it also unclear at this time why no forum member has yet been able to prove through experimentation that this sleeping functionality is actually working.

For the curious, the manual also explains how the key continues to work in the event of a dead battery.

What does this mean?

Well, depending on how long it takes to enter sleep mode, it could be that those scaredy-pants who have bought faraday pouches are unnecessarily adding inconvenience to their lives. In the end, it doesn't hurt to use them, that's your choice.
Hey Snood, I got me a farady BOX baby, no girly pouch.....just saying... :love: :love: .
On a serious note, this is a very nice post. Thanks for the detailed investigation.
 

·
Super Moderator
Joined
·
1,357 Posts
Sorry if this comes across as harsh but don't believe there's anything new in this post, nor do I really agree that any myths have been dispelled. We already knew that the keys had the 'MS' designation, and the datasheet for the key had already been shared in the other thread.

How do you reconcile this with the fact that nearly every customer in the Netherlands is forced to have the main keys modified and the activity key deactivated from the car at significant expense otherwise it is impossible to get insurance? After this modification has been done, they aren't even allowed to replace the battery in the key themselves without invalidating their insurance. Why would such strenuous rules be put in place for no reason?

How do you explain the results of my test where I left the key under the car in a plastic box and was able to open and move the car an hour later? I think you did the same test as well and had the same outcome?

It's truly baffling. It's as if the MS capability of the keys has been deliberately programmed out or maybe set for a ridiculously long time. These keys are fully programmable by the manufacturer - including the behaviour of the MS solution.
 

·
Registered
Joined
·
764 Posts
Discussion Starter · #5 ·
We already knew that the keys had the 'MS' designation, and the datasheet for the key had already been shared in the other thread.
I see you're quite right. I had missed that... well I hadn't as I liked the post and I responded to it... but I had forgotten that it was mentioned

How do you reconcile this with the fact that nearly every customer in the Netherlands is forced to have the main keys modified and the activity key deactivated from the car at significant expense otherwise it is impossible to get insurance? After this modification has been done, they aren't even allowed to replace the battery in the key themselves without invalidating their insurance. Why would such strenuous rules be put in place for no reason?
Insurance companies often haven't got a clue what they're talking about. a number of years ago there were insurance companies in the UK claiming that putting winter tyres on your car was a non-standard modification and were increasing premiums despite drivers making their cars safer. I wouldn't go by what insurers require.


How do you explain the results of my test where I left the key under the car in a plastic box and was able to open and move the car an hour later? I think you did the same test as well and had the same outcome?
I don't explain it, indeed I mention that as an unanswered issue in my post.
 
  • Like
Reactions: ProfessorCook

·
Super Moderator
Joined
·
1,396 Posts
It's as if the MS capability of the keys has been deliberately programmed out or maybe set for a ridiculously long time. These keys are fully programmable by the manufacturer - including the behaviour of the MS solution.
This was my first thought when I read "programmable by the manufacturer". Based on our collective experience with the SW quality, my money would be on 0xffff for the timeout.

I'm wondering whether the keys are OTAble ;)
 

·
Super Moderator
Joined
·
1,357 Posts
Insurance companies often haven't got a clue
This isn't insurance companies, it's the Dutch equivalent of Thatcham (KIWA) who have decreed that the solution isn't resistant to relay attacks without further mitigation. The insurance companies perhaps have overreacted, but maybe relay theft is a massive issue in The Netherlands. I'm sure we must have some locals on this forum who can comment.
 

·
Registered
P2 2021, Void, Charcoal, no PP, 19 inch
Joined
·
161 Posts
Yes some Dutch insurance companies demand this KIWa certificate. But not all. My insurance company did not. So i did not change my keys and keep them (just to be a bit more sure) in a pouch and in a metal faradaybox.
 

·
Registered
Joined
·
13 Posts
It may well be, of course, that the motion detection doesn't kick in until the key is out of range of the car. So leaving the key by the car for an hour won't validate the functionality as the key will never go to sleep.

The way to do it might be to leave the key under the car (in a garage maybe) then using the other key drive off somewhere for an hour or two. Come back, carefully pull the car over the top of the key but don't touch it or run it over!

Lock the car with the second key and take it with you in the house, out of range of the car. Then come back with no keys near the car except the one under it and try unlocking the car with your hand.
 

·
Registered
Joined
·
764 Posts
Discussion Starter · #12 ·
It may well be, of course, that the motion detection doesn't kick in until the key is out of range of the car. So leaving the key by the car for an hour won't validate the functionality as the key will never go to sleep.

The way to do it might be to leave the key under the car (in a garage maybe) then using the other key drive off somewhere for an hour or two. Come back, carefully pull the car over the top of the key but don't touch it or run it over!

Lock the car with the second key and take it with you in the house, out of range of the car. Then come back with no keys near the car except the one under it and try unlocking the car with your hand.
A few of us including myself have tested for this very possibility. Still not possible to verify.
 

·
Registered
Joined
·
535 Posts
Sorry if this comes across as harsh but don't believe there's anything new in this post, nor do I really agree that any myths have been dispelled.
I tend to agree, this has just re-hashed the existing thread, without any additional facts


Lock the car with the second key and take it with you in the house, out of range of the car. Then come back with no keys near the car except the one under it and try unlocking the car with your hand.
This test, and the previous tests people have tried do not replicate a relay attack. The only thing that can replicate a relay attack is...you guessed it... a relay attack! (actual or test). Thatcham do these and record the ratings/results. I'll wait for a proper test. I would find it odd if the MS suffix on the part number proves to be false, but you never know.
 

·
Registered
Joined
·
764 Posts
Discussion Starter · #15 ·
Polestar Customer service have confirmed to me that the Polestar keys do sleep after some time of inactivity.

They did tell me how long the timeout is for it to enter sleep mode citing "security reasons" I am pressing them on this question further.

Ford publicly state that their keys sleep after being still for 40 seconds.
 

·
Registered
Polestar 2 (Thunder/Slate)
Joined
·
871 Posts
Polestar Customer service have confirmed to me that the Polestar keys do sleep after some time of inactivity.

They did tell me how long the timeout is for it to enter sleep mode citing "security reasons" I am pressing them on this question further.

Ford publicly state that their keys sleep after being still for 40 seconds.
they seriously didn’t disclose this, citing security reasons? That makes no sense, how would that impact the security of the system?

WTF!
 

·
Registered
Joined
·
764 Posts
Discussion Starter · #17 ·
they seriously didn’t disclose this, citing security reasons? That makes no sense, how would that impact the security of the system?

WTF!
My thoughts exactly.

I'll give them a chance to disclose it before seeking the information via other channels.
 
  • Like
Reactions: ProfessorCook

·
Registered
Thunder ⚡ | Non-PP | 20" | Towbar | Damn good looking driver
Joined
·
57 Posts
So I measured the key recognition max amount of meters between car and key. This was around 2 meters (depending on where I stand relative to the car) . And my keys are 3 meters away from the door. Would my car be vulnerable to a relay attack. So can it also extend that initial 2 meter gap a bit further? Or is the car save because of the extra 1 meter buffer.
 
1 - 20 of 135 Posts
Top