HI
I am just surprised at how bloody simple and genius this SARA attack is.
The fact that we can get our hands on things cheaply now is creating security threats by making it accessible to hackers but it is a double edge sword.
The problem is not "making things accessible to hackers" but bloody clueless manufacturers that put gizmos that nobody really needs in cars without understanding neither the technology nor the security/safety implications and think that if they keep stuff secret it is somehow going to be secure.
The SARA attack is impossible if you require a physical key in the ignition (as was standard for decades) and not just "nearby" (= RFID). However, in the name of convenience and gee-whiz keyless pushbutton ignition (= a feature you can charge more for!) your car can be now stolen with a cheap box of electronics in a few seconds, with no trace of forced entry (so many insurances will refuse to pay).
One way to fix this issue would be requiring a check that the keyfob/card is physically in the vehicle - e.g. by inserting it in a reader with physical contacts, not just RFID (some older vehicles had such system). But then we are effectively back to the key-in-the-ignition setup, just the key is replaced by a fob ...
You can't use reflectometry - there is no reflection to measure. And measuring response times is notoriously unreliable, e.g. because of interference, keyfob not reacting right away, etc. which will swamp the time of flight of the radio signal that you could use to determine distance. Signal intensity detto.
[...] I was wondering do you experts have any ideas on how to make our cars more secure. [...]
Mechanical lock/key. Something solid that looks too much like hard work for the thieves.
Not necessarily, even the good old rolling code pushbutton thing is more secure than this. There are tricks that can be used to bypass it (google Logjam attack), but it is much more finicky and complicated for the thieves to reliably execute it, so likely few will bother - smashing a window or forcing a door lock is easier.
The SARA vulnerability is effectively unfixable without ditching the entire system with the RFID fobs. If you don't want to have your car stolen or burgled, don't buy a car with this. Fortunately, this stupid system is optional on most brands that have it.
This is called progress - solving a "problem" that wasn't really a problem to begin with (what is so difficult or inconvenient about having to insert a key in the ignition?) and causing several new, much worse ones.