Yeah, a car's passive entry system can definitely be exploited by relay attacks. Here is an academic group who demonstrated it: https://eprint.iacr.org/2010/332.pdf
The most obvious way to mitigate is to have the car require the key to send the first bit of the response at most N nanoseconds after the last bit of the challenge is sent over the air. Because of the speed of light this assures the key is within a certain distance of the car. Ideally you want to constrain this to ~2 meters since passive entry requires the driver to touch the door handle. This limit is not to be confused with remote keyless entry which should work up to ~100 meters as it requires the driver to actively press a button so, like garage door openers, this is not vulnerable to relay attacks. However power-constrained MCUs, especially in the key, have a hard time computing a strong cryptographic challenge within N nanoseconds with N low enough, hence the problem...
After my little foray into garage door openers I am currently looking into implementing relay attacks on the passive entry / passive go system of my car (2012 Audi). Fascinating stuff.
There are super low power accelerometers with wake on movement. Simply require the key be recently moved about to activate the door. If the key is not awake, it can't answer any challenges.
You don't need to compute the challenge in N nanoseconds. Instead, the car could send a challenge, the key can compute it in however much time it likes. Then the car sends a one time pad, the key receives it and xors the otp with the challenge's response. Then it sends that.
The cryptographic challenge makes it secure, the XORed one-time-pad allows for fast measurement of the round trip time.
The most obvious way to mitigate is to have the car require the key to send the first bit of the response at most N nanoseconds after the last bit of the challenge is sent over the air. Because of the speed of light this assures the key is within a certain distance of the car. Ideally you want to constrain this to ~2 meters since passive entry requires the driver to touch the door handle. This limit is not to be confused with remote keyless entry which should work up to ~100 meters as it requires the driver to actively press a button so, like garage door openers, this is not vulnerable to relay attacks. However power-constrained MCUs, especially in the key, have a hard time computing a strong cryptographic challenge within N nanoseconds with N low enough, hence the problem...
After my little foray into garage door openers I am currently looking into implementing relay attacks on the passive entry / passive go system of my car (2012 Audi). Fascinating stuff.