Lock it and still lose it – on the (in)security of automotive remote keyless entry systems

Proceedings of the 25th USENIX Security Symposium

Volumn , Issue , 2016, Pages 929-944

  Garcia, Flavio D ^a   Oswald, David ^a   Kasper, Timo ^b   Pavlidès, Pierre ^a  

^a UNIVERSITY OF BIRMINGHAM   (United Kingdom)

^b Kasper and Oswald GmbH   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

CLONE CELLS; CLONING; CODES (SYMBOLS); CRYPTOGRAPHY; LOCKS (FASTENERS); REMOTE CONTROL; TELECONTROL EQUIPMENT; VEHICLES;

CRYPTOGRAPHIC ALGORITHMS; CRYPTOGRAPHIC KEY; ELECTRONIC CONTROL UNITS; KEYLESS ENTRY; KEYLESS ENTRY SYSTEMS; REMOTE KEY-LESS ENTRY SYSTEMS; ROLLING CODE; UNAUTHORIZED ACCESS;

AUTOMOBILE MANUFACTURE;

EID: 85076496014     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (35)

1. abc7news. Key fob car thefts, 2013. http://abc7news.com/archive/9079852.
2. arstechnica. After burglaries, mystery car unlocking device has police stumped, 2013. http://arstechnica.com/security/2013/06/after-burglaries-mystery-car-unlocking-device-has-police-stumped.
3. ATMEL. M44C890 Low-Current Microcontroller for Wireless Communication, 2001. datasheet, available at http://pdf1.alldatasheet.com/datasheet-pdf/ view/118247/ATMEL/M44C890.html.
4. ATMEL. e5561 Standard Read/Write Crypto Identification IC, 2006. datasheet, available at http://www.usmartcards.com/media/downloads/366/Atmel%20e5561% 20pdf-190.pdf.
5. ATMEL. Embedded AVR Microcontroller Including RF Transmitter and Immobilizer LF Functionality for Remote Keyless Entry - ATA5795C. datasheet, available at http://www.atmel.com/images/ Atmel-9182-Car-Access-ATA5795C_ Datasheet.pdf, November 2014.
6. Bloessl, B. gr-keyfob. Github repository, 2015. https://github.com/bastibl/ gr-keyfob.
7. Bogdanov, A. Attacks on the KeeLoq Block Cipher and Authentication Systems. In Workshop on RFID Security (RFID-Sec’08)(2007). rfidsec07.etsit.uma.es/ slides/papers/paper-22.pdf.
8. Bono, S. C., Green, M., Stubblefield, A., Juels, A., Rubin, A. D., and Szydlo, M. Security analysis of a cryptographically-enabled RFID device. In 14th USENIX Security Symposium (USENIX Security 2005) (2005), USENIX Association, pp. 1–16.
9. Cesare, S. Breaking the security of physical devices. Presentation at Blackhat’14, August 2014.
10. Checkoway, S., McCoy, D., Kantor, B., Anderson, D., Shacham, H., Savage, S., Koscher, K., Czeskis, A., Roesner, F., and Kohno, T. Comprehensive experimental analyses of automotive attack surfaces. In 20th USENIX Security Symposium (USENIX Security 2011) (2011), USENIX Association, pp. 77–92.
11. Courtois, N. T., O’Neil, S., and Quisquater, J.-J. Practical algebraic attacks on the Hitag2 stream cipher. In 12th Information Security Conference (ISC 2009) (2009), vol. 5735 of Lecture Notes in Computer Science, Springer-Verlag, pp. 167–176.
12. Eisenbarth, T., Kasper, T., Moradi, A., Paar, C., Salmasizadeh, M., and Shalmani, M. T. M. On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoq Code Hopping Scheme. In Advances in Cryptology – CRYPTO’08 (2008), vol. 5157 of LNCS, Springer, pp. 203–220.
13. European Automobile Manufacturers Associaction. New passenger car registrations, 2015. available at http://www.acea.be/uploads/press_releases_files/ 20151016_PRPC_1509_FINAL.pdf.
14. Francillon, A., Danev, B., and Capkun, S. Relay attacks on passive keyless entry and start systems in modern cars. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2011 (2011), The Internet Society.
15. Indesteege, S., Keller, N., Dunkelmann, O., Biham, E., and Preneel, B. A practical attack on KeeLoq. In 27th International Conference on the Theory and Application of Cryptographic Techniques, Advances in Cryptology (EUROCRYPT 2008) (2008), vol. 4965 of Lecture Notes in Computer Science, Springer-Verlag, pp. 1–8.
16. Kamkar, S. Drive It Like You Hacked It: New Attacks and Tools to Wirelessly Steal Cars. Presentation at DEFCON 23, August 2015.
17. Kasper, M., Kasper, T., Moradi, A., and Paar, C. Breaking KeeLoq in a Flash: On Extracting Keys at Lightning Speed. In Progress in Cryptology - AFRICACRYPT’09 (2009), B. Preneel, Ed., vol. 5580 of LNCS, Springer, pp. 403–420.
18. Kasper, T., Oswald, D., and Paar, C. Wireless security threats: Eavesdropping and detecting of active RFIDs and remote controls in the wild. In 19th International Conference on Software, Telecommunications and Computer Networks – SoftCOM’11 (2011), pp. 1–6.
19. Keyline S.p.A. RK60 guide, 2015. available at http://www.keyline.it/files/teste-elettroniche/electronic_ heads_guide_13316.pdf.
20. Koscher, K., Czeskis, A., Roesner, F., Patel, F., Kohno, T., Checkoway, S., McCoy, D., Kantor, B., Anderson, D., Shacham, H., and Savage, S. Experimental security analysis of a modern automobile. In 31rd IEEE Symposium on Security and Privacy (S&P 2010) (2010), IEEE Computer Society, pp. 447–462.
21. Laurie, A. Fun with Masked ROMs — Atmel MARC4. Blog entry, 2013. http://adamsblog.aperturelabs.com/2013/01/fun-with-masked-roms.html.
22. Lu, J. Related-key rectangle attack on 36 rounds of the XTEA block cipher. International Journal of Information Security 8, 1 (2008), 1–11.
23. Moradi, A., and Kasper, T. A new remote keyless entry system resistant to power analysis attacks. In Information, Communications and Signal Processing – ICICS 2009 (2009), IEEE, pp. 1–6.
24. Needham, R. M., and Wheeler, D. J. TEA extensions. Technical Report, Cambridge University, UK (1997).
25. Newport Beach PD. Lock It Or Lose It - Newport Beach Vehicle Crime, 2011. Video available at https://www.youtube.com/watch?v=Mmi2LRF7al8.
26. Philips. PCF7946AT – Security Transponder Plus Remote Keyless Entry, 1999. datasheet, available at http://www.datasheet4u.com/pdf/PCF7946AT-pdf/609011.
27. spencerwhyte. Jam Intercept and Replay Attack against Rolling Code Key Fob Entry Systems using RTL-SDR. Website, retrieved January 21, 2016, March 2014. http://spencerwhyte.blogspot.ca/2014/03/delayattack-jam-intercept-and-replay.html.
28. Sun, S., Hu, L., Xie, Y., and Zeng, X. Cube cryptanalysis of Hitag2 stream cipher. In 10th International Conference on Cryptology and Network Security (CANS 2011) (2011), vol. 7092 of Lecture Notes in Computer Science, Springer-Verlag, pp. 15–25.
29. Tillich, S., and Wójcik, M. Security analysis of an open car immobilizer protocol stack. In 10th International Conference on Applied Cryptograpy and Network Security (ACNS 2012) (2012).
30. Verdult, R. The (in)security of proprietary cryptography. PhD thesis, Radboud University, The Netherlands and KU Leuven, Belgium, April 2015.
31. Verdult, R., and Garcia, F. D. Cryptanalysis of the Megamos Crypto automotive immobilizer. USENIX;login: 40, 6 (2015), pp. 17–22.
32. Verdult, R., Garcia, F. D., and Balasch, J. Gone in 360 seconds: Hijacking with Hitag2. In USENIX Security Symposium (August 2012), USENIX Association, pp. 237–252. https://www.usenix.org/system/ files/conference/usenixsecurity12/ sec12-final95.pdf.
33. Verdult, R., Garcia, F. D., and Ege, B. Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer. In 22nd USENIX Security Symposium (USENIX Security 2013) (2015), USENIX Association, pp. 703–718.
34. Štembera, P., and Novotný, M. Breaking Hitag2 with reconfigurable hardware. In 14th Euromicro Conference on Digital System Design (DSD 2011) (2011), IEEE Computer Society, pp. 558–563.
35. Wiener, I. Philips/NXP Hitag2 PCF7936/46/47/52 stream cipher reference implementation. http://cryptolib.com/ciphers/hitag2/, 2007.