My car seems to be able to tell if the key is inside or outside pretty accurately so I think it can already figure out the distance to the key (though might be using something like RFID for that, which is not very secure).
The whole point is the the car is using signal strength as a proxy for proximity, which is unreliable when you can use an transceiver and/or amplifier to boost the signal strength from a remote key.
Do you have a source for your doubt? It would be more technically accurate to say that the car is dependent on signal fall-off than signal strength, but that seems to be a distinction without a difference to me.
>A PKES car key uses an LF RFID tag that provides
short range communication (within 1-2 m in active and a
few centimeters in passive mode) and a fully-fledged UHF
transceiver for longer range communication (within 10 to
100 m). The LF channel is used to detect if the key fob
is within regions Inside and Outside of the car. Figure 2(b)
shows the areas in proximity of the car that must be detected
in order to allow a safe and convenient use of the PKES system.
The regions are as follows. [1]
As you can see on the picture yourself, the inside/outside zones are very close to each other. Locating a key with such a precision based on the signal strength alone does not seem possible for following reasons: the key's transmitter is too small to provide stable signal level, the key is located in very anisotropic environment, the car itself changes its shape and hence RF loss from different directions.
Let's assume that each of us knows what we are talking about.
Yes, the actual key itself is located by the car based on Low Frequency RFID.
The attack described is a relay attack, which means that the key can be spoofed in real time by relaying short range radio transmissions to two locations.
The mistaken assumption of the security system is that the short range communication protocol used by the car and the key requires the key to be in close proximity to the car.
Since the communication may be relayed, the range assumption is invalid. The main suggestion is to use high precision timing to determine the range, as it is very difficult to cheat on the speed of light.
I agree that "signal strength" is not the best way to phrase the above in a technical discussion.
I have not seen any indication that triangulation or any other physical location system is used in vehicle PKES.
