Gone in 360 seconds: Hijacking with hitag2

Proceedings of the 21st USENIX Security Symposium

Volumn , Issue , 2012, Pages 237-252

  Verdult, Roel ^a   Garcia, Flavio D ^a   Balasch, Josep ^b  

^a RADBOUD UNIVERSITY NIJMEGEN   (Netherlands)

^b UNIVERSITY OF LEUVEN   (Belgium)

Author keywords

[No Author keywords available]

Indexed keywords

AUTHENTICATION; ENGINES; MODEL AUTOMOBILES; PUBLIC KEY CRYPTOGRAPHY; SECURITY SYSTEMS;

CAR MODELS; ELECTRONIC VEHICLES; KEYLESS ENTRY SYSTEMS; PASSIVE RFID TAGS; SECRET KEY; STREAM CIPHERS; WIRELESS COMMUNICATIONS;

TRANSPONDERS;

EID: 84966893349     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (49)

1. Ross J. Anderson. Security Engineering: A guide to building dependable distributed systems. Wiley, 2010.
2. Atmel. Embedded avr microcontroller including rf transmitter and immobilizer lf functionality for remote keyless entry - ATA5795, 2010.
3. Steve Babbage. A space/time tradeoff in exhaustive search attacks on stream ciphers. In European Convention on Security and Detection, volume 408 of Conference Publications, pages 161–166. IEEE Computer Society, 1995.
4. Josep Balasch, Benedikt Gierlichs, Roel Verdult, Lejla Batina, and Ingrid Verbauwhede. Power analysis of Atmel CryptoMemory - recovering keys from secure EEPROMs. In 12th Cryptographers’ Track at the RSA Conference (CT-RSA 2012), volume 7178 of Lecture Notes in Computer Science, pages 19–34. Springer-Verlag, 2012.
5. Alex Biryukov, Ilya Kizhvatov, and Bin Zhang. Cryptanalysis of the Atmel cipher in Secure-Memory, CryptoMemory and CryptoRF. In 9th Applied Cryptography and Network Security (ACNS 2011), pages 91–109. Springer-Verlag, 2011.
6. Alex Biryukov, Sourav Mukhopadhyay, and Palash Sarkar. Improved time-memory trade-offs with multiple data. In 13th International Workshop on Selected Areas in Cryptography (SAC 2006), volume 3897 of Lecture Notes in Computer Science, pages 110–127. Springer-Verlag, 2006.
7. Alex Biryukov and Adi Shamir. Cryptanalytic time/memory/data tradeoffs for stream ciphers. In 6th International Conference on the Theory and Application of Cryptology and Information Security, Advances in Cryptology (ASIACRYPT 2000), volume 1976 of Lecture Notes in Computer Science, pages 1–13. Springer-Verlag, 2000.
8. Andrey Bogdanov. Linear slide attacks on the KeeLoq block cipher. In Information Security and Cryptology (INSCRYPT 2007), volume 4990 of Lecture Notes in Computer Science, pages 66–80. Springer, 2007.
9. Andrey Bogdanov and Christof Paar. On the security and efficiency of real-world lightweight authentication protocols. In 1st Workshop on Secure Component and System Identification (SECSI 2008). ECRYPT, 2008.
10. Stephen C. Bono, Matthew Green, Adam Stubble-field, Ari Juels, Aviel D. Rubin, and Michael Szydlo. Security analysis of a cryptographically-enabled RFID device. In 14th USENIX Security Symposium (USENIX Security 2005), pages 1–16. USENIX Association, 2005.
11. Johan Borst, Bart Preneel, Joos Vandewalle, and Joos V. On the time-memory tradeoff between exhaustive key search and table precomputation. In 19th Symposium in Information Theory in the Benelux, pages 111–118, 1998.
12. Nicolas T. Courtois. The dark side of security by obscurity - and cloning MIFARE Classic rail and building passes, anywhere, anytime. In 4th International Conference on Security and Cryptography (SECRYPT 2009), pages 331–338. INSTICC Press, 2009.
13. Nicolas T. Courtois, Gregory V. Bard, and David Wagner. Algebraic and slide attacks on KeeLoq. In 15th International Workshop on Fast Software Encryption (FSE 2000), volume 5086 of Lecture Notes in Computer Science, pages 97–115. Springer-Verlag, 2008.
14. Nicolas T. Courtois, Sean O’Neil, and Jean-Jacques Quisquater. Practical algebraic attacks on the Hitag2 stream cipher. In 12th Information Security Conference (ISC 2009), volume 5735 of Lecture Notes in Computer Science, pages 167–176. Springer-Verlag, 2009.
15. Joan Daemen and Vincent Rijmen. The Design of Rijndael: AES - The Advanced Encryption Standard. Springer-Verlag, 2002.
16. Gerhard de Koning Gans, Jaap-Henk Hoepman, and Flavio D. Garcia. A practical attack on the MIFARE Classic. In 8th Smart Card Research and Advanced Applications Conference (CARDIS 2008), volume 5189 of Lecture Notes in Computer Science, pages 267–282. Springer-Verlag, 2008.
17. Federal Communications Commission FCC. Guidelines for evaluating the environmental effects of radio frequency radiation. Technical report, Federal Communications Commission FCC, April 2009.
18. Aurélien Francillon, Boris Danev, and Srdjan Čapkun. Relay attacks on passive keyless entry and start systems in modern cars. In 18th Network and Distributed System Security Symposium (NDSS 2011). The Internet Society, 2011.
19. Flavio D. Garcia, Gerhard de Koning Gans, Ruben Muijrers, Peter van Rossum, Roel Verdult, Ronny Wichers Schreur, and Bart Jacobs. Dismantling MIFARE Classic. In 13th European Symposium on Research in Computer Security (ESORICS 2008), volume 5283 of Lecture Notes in Computer Science, pages 97–114. Springer-Verlag, 2008.
20. Flavio D. Garcia, Gerhard de Koning Gans, and Roel Verdult. Exposing iClass key diversification. In 5th USENIX Workshop on Offensive Technologies (USENIX WOOT 2011), pages 128–136, San Francisco, CA, USA, 2011. USENIX Association.
21. Flavio D. Garcia, Gerhard de Koning Gans, Roel Verdult, and Milosch Meriac. Dismantling iClass and iClass Elite. In 17th European Symposium on Research in Computer Security (ESORICS 2012), Lecture Notes in Computer Science. Springer-Verlag, 2012.
22. Flavio D. Garcia, Peter van Rossum, Roel Verdult, and Ronny Wichers Schreur. Wirelessly pickpocketing a mifare classic card. In 30th IEEE Symposium on Security and Privacy (S&P 2009), pages 3–15. IEEE Computer Society, 2009.
23. Flavio D. Garcia, Peter van Rossum, Roel Verdult, and Ronny Wichers Schreur. Dismantling SecureMemory, CryptoMemory and CryptoRF. In 17th ACM Conference on Computer and Communications Security (CCS 2010), pages 250–259. ACM/SIGSAC, 2010.
24. Gerhard P. Hancke. Practical attacks on proximity identification systems (short paper). In 27th IEEE Symposium on Security and Privacy (S&P 2006), pages 328–333. IEEE Computer Society, 2006.
25. Martin E. Hellman. A cryptanalytic time-memory trade-off. IEEE Transactions on Information Theory, 26(4):401–406, 1980.
26. Motoki Hirano, Mikio Takeuchi, Takahisa Tomoda, and Kin-Ichiro Nakano. Keyless entry system with radio card transponder. IEEE Transactions on Industrial Electronics, 35:208–216, 1988.
27. Sebastiaan Indesteege, Nathan Keller, Orr Dunkelmann, Eli Biham, and Bart Preneel. A practical attack on KeeLoq. In 27th International Conference on the Theory and Application of Cryptographic Techniques, Advances in Cryptology (EUROCRYPT 2008), volume 4965 of Lecture Notes in Computer Science, pages 1–8. Springer-Verlag, 2008.
28. Markus Kasper, Timo Kasper, Amir Moradi, and Christof Paar. Breaking KeeLoq in a flash: on extracting keys at lightning speed. In 2nd International Conference on Cryptology in Africa, Progress in Cryptology (AFRICACRYPT 2009), volume 5580 of Lecture Notes in Computer Science, pages 403–420. Springer-Verlag, 2009.
29. Keyline. Transponder guide. http://www.keyline.it/files/884/transponder guide 16729.pdf, 2012.
30. Ziv Kfir and Avishai Wool. Picking virtual pockets using relay attacks on contactless smartcard. In 1st International Conference on Security and Privacy for Emerging Areas in Communications Networks (SecureComm 2005), pages 47–58. IEEE Computer Society, 2005.
31. Ilan Kirschenbaum and Avishai Wool. How to build a low-cost, extended-range RFID skimmer. In 15th USENIX Security Symposium (USENIX Security 2006), pages 43–57. USENIX Association, 2006.
32. Kerstin Lemke, Ahmad-Reza Sadeghi, and Christian Stble. An open approach for designing secure electronic immobilizers. In Information Security Practice and Experience (ISPEC 2005), volume 3439 of Lecture Notes in Computer Science, pages 230–242. Springer-Verlag, 2005.
33. Kerstin Lemke, Ahmad-Reza Sadeghi, and Christian Stüble. Anti-theft protection: Electronic immobilizers. Embedded Security in Cars, pages 51–67, 2006.
34. Karsten Nohl. Immobilizer security. In 8th International Conference on Embedded Security in Cars (ESCAR 2010), 2010.
35. Karsten Nohl, David Evans, Starbug, and Henryk Plötz. Reverse engineering a cryptographic RFID tag. In 17th USENIX Security Symposium (USENIX Security 2008), pages 185–193. USENIX Association, 2008.
36. Transponder IC, Hitag2. Product Data Sheet, Nov 2010. NXP Semiconductors.
37. Hitag pro. Product Data Sheet, 2011. NXP Semiconductors.
38. Philippe Oechslin. Making a faster cryptanalytic time-memory trade-off. In 23rd International Cryptology Conference, Advances in Cryptology (CRYPTO 2003), volume 2729 of Lecture Notes in Computer Science, pages 617–630. Springer-Verlag, 2003.
39. Security transponder plus remote keyless entry – Hitag2 plus, PCF7946AT. Product Profile, Jun 1999. Philips Semiconductors.
40. Amir Rahmati, Mastooreh Salajegheh, Dan Holcomb, Jacob Sorber, Wayne P. Burleson, and Kevin Fu. TARDIS: Time and remanence decay in SRAM to implement secure protocols on embedded devices without clocks. In 21st USENIX Security Symposium (USENIX Security 2012). USENIX Association, 2012.
41. Andrew Rukhin, Juan Soto, James Nechvatal, Miles Smid, Elaine Barker, Stefan Leigh, Mark Levenson, Mark Vangel, David Banks, Alan Heckert, James Dray, and San Vo. A statistical test suite for the validation of random number generators and pseudo random number generators for cryptographic applications. NIST Special Publication, pages 800–822, 2001.
42. Mate Soos, Karsten Nohl, and Claude Castelluccia. Extending SAT solvers to cryptographic problems. In 12th International Conference on Theory and Applications of Satisfiability Testing (SAT 2009), volume 5584 of Lecture Notes in Computer Science, pages 244–257. Springer-Verlag, 2009.
43. Frank Stajano and Ross J. Anderson. The resurrecting duckling: Security issues for ad-hoc wireless networks. In 7th International Workshop on Security Protocols (WSP 2000), volume 1796 of Lecture Notes in Computer Science, pages 172–182. Springer-Verlag, 2000.
44. Siwei Sun, Lei Hu, Yonghong Xie, and Xiangyong Zeng. Cube cryptanalysis of Hitag2 stream cipher. In 10th International Conference on Cryptology and Network Security (CANS 2011), volume 7092 of Lecture Notes in Computer Science, pages 15–25. Springer-Verlag, 2011.
45. Petr Štembera and Martin Novotný. Breaking Hitag2 with reconfigurable hardware. In 14th Euromicro Conference on Digital System Design (DSD 2011), pages 558–563. IEEE Computer Society, 2011.
46. Pang-Chieh Wang, Ting-Wei Hou, Jung-Hsuan Wu, and Bo-Chiuan Chen. A security module for car appliances. International Journal of World Academy Of Science, Engineering and Technology, 26:155–160, 2007.
47. I.C. Wiener. Philips/NXP Hitag2 PCF7936/46/47/52 stream cipher reference implementation. http://cryptolib.com/ciphers/hitag2/, 2007.
48. Marko Wolf, Andre Weimerskirch, and Thomas Wollinger. State of the art: Embedding security in vehicles. EURASIP Journal on Embedded Systems, 2007:074706, 2007.
49. Jung-Hsuan Wu, Chien-Chuan Kung, Jhan-Hao Rao, Pang-Chieh Wang, Cheng-Liang Lin, and Ting-Wei Hou. Design of an in-vehicle anti-theft component. In 8th International Conference on Intelligent Systems Design and Applications (ISDA 2008), volume 1, pages 566–569. IEEE Computer Society, 2008.