Ultrasound also makes it massively easier to spoof distance measurements, because there's nothing that requires the attacker to use ultrasound for his own transmissions.
The speed of sound in air is about 1ms/foot, so if you're trying to measure proximity within 30ft, you're looking for a 60ms roundtrip delay, or 30ms for one-way. If the attacker has ultrasonic microphones and speakers connected with radio waves, that means he can spoof your fob from up to 9,000km away for roundtrip ultrasound, and 4,500km away for one-way, under ideal conditions.
The speed of light imposes difficult constraints in terms of how fast you have to respond, but at least the attacker can't outrun it (as far as anyone knows).
The description I saw of the amplifier attack said that the attacker put an amplifier near the car. This amplified the car's weak signal so it could reach the fob, which would then respond. The attacker does not have any equipment near the fob (and may not even know where it is).
If the car then did an ultrasonic distance check by emitting a coded ultrasonic signal that the fob had to receive, and then relay the code back to open the door, I don't see how the attacker would spoof that. Even if he has an ultrasonic microphone near the car, and an ultrasonic transmitter somewhere else, with a radio link to tell the transmitter what the send...how does he place the transmitter so that your fob will hear it?
If the attack is targeted against a specific individual, where the attacker knows both where the car is parked and where the individual is when away from the car, and the attacker can place equipment at both locations, then yes, I see that the attacker can get around ultrasonic distance measurement.
But for the most common case, where the attacker is at the car and has no idea where the owner is, it seems workable to me.
Right, I see, that makes sense and your idea would definitely help there. It wouldn't defeat a more targeted attack, but just defeating a simpler one could be worthwhile.
The speed of sound in air is about 1ms/foot, so if you're trying to measure proximity within 30ft, you're looking for a 60ms roundtrip delay, or 30ms for one-way. If the attacker has ultrasonic microphones and speakers connected with radio waves, that means he can spoof your fob from up to 9,000km away for roundtrip ultrasound, and 4,500km away for one-way, under ideal conditions.
The speed of light imposes difficult constraints in terms of how fast you have to respond, but at least the attacker can't outrun it (as far as anyone knows).