In recent years, the security analysis of automotive systems has gained significant attention, including attacks on the vehicle CAN bus (with severe safety implications) and the immobilizer. In this talk, we present our new work on the insecurity of automotive remote keyless entry (RKE) systems, i.e., the part of the car key that allows to wirelessly open/close the doors and the trunk. We demonstrate different attacks on two extremely widespread RKE systems: the scheme used by the VW group (Volkswagen, Seat, Skoda, Audi) and the Hitag2 system (employed by a number of vendors including Alfa Romeo, Peugeot, Lancia, Opel, Renault, and Ford among others). The talk concludes with a discussion of these attacks in the wider context of automotive security and an outline of potential countermeasures.
Project Based Learning (A.I).pptx detail explanation
HIS 2017 David Oswald- Your car is not a safe box - breaking automotive keyless entry systems
1. Wireless Attacks on Automotive
Remote Keyless Entry Systems
David Oswald1
joint work with: Flavio D. Garcia1,
Timo Kasper2 and Pierre Pavlidès1
1. University of Birmingham, UK
2. Kasper & Oswald GmbH, Germany
3. Remote Keyless Entry (RKE)
Active UHF transmitter
(315 / 433 / 868 MHz)
Unidirectional
Sometimes integrated
with immobilizer chip
(“hybrid”), sometimes
separate
Immobilizer (Immo)
Passive RFID at 125 kHz
Many broken systems
(DST40, Hitag2,
Megamos)
3
8. Previous attacks on RKE
• 2007: Cryptanalysis of KeeLoq garage door openers
(216 plaintext/ciphertext pairs) by Biham et al.
• 2008: Side-channel attack on KeeLoq key
diversification (Eisenbarth et al.)
• 2010: Relay attacks on passive keyless entry
systems (Francillon et al.)
• 2015: “RollJam” by Spencerwhyte / Kamkar
(had been proposed before)
8
13. VW Group RKE
• > 10% worldwide market share
• Immobilizer (Megamos) and RKE separate
for most vehicles
• Proprietary RKE system, mostly 434.4 MHz
• We analyzed vehicles between ~2000 and today
• Four main schemes (VW-1 … VW-4) studied
13
17. Example: VW-3
• AUT64 is a proprietary block cipher, no
trivial attacks known
• … but key K3 is the same in all VW-3 vehicles
• VW-2: Same cipher, different (global) key
• VW-4: Newer cipher, still a global key
• VW-1: Weak crypto (LFSR)
17
AUT64K3
(uid, ctr’, btn’), btn
22. Previous work on Hitag2
• At Usenix Security ’12, Verdult et al. presented a
secret key recovery attack against Hitag2
immobilizer requiring:
– Immobilizer transponder uid
– 136 authentication attempts from the car
– 5 minutes computation
• Note: This attack is not car-only due to the
first requirement
22
23. RKE protocol (simplified)
Diversified keys
id1 k1 ctr1
id2 k2 ctr2
id3 k3 ctr3
uid, btn, ctr, MACk, crc
ctr1
If (ctr1 < ctr’1 < ctr1 + Δ)
then ctr1 := ctr’1 ; open
MACk is 32 bits of
keystream
23
24. Our novel attack requires:
• ≈ 4 to 8 traces (key presses)
• $40 Arduino board can collect them
• Speeding up trace collection:
Device also implements reactive jamming:
uid, btn, ctr, MACk, crc
24
29. Countermeasures
• For owners of affected vehicles:
– Stop using RKE (unrealistic)
– Hope for vendor upgrade (unrealistic)
– Do not leave valuables in car
– Multiple failed unlock attempts = suspicious
• For manufacturers (in general, not only RKE):
– Use secure key distribution and good crypto
– E.g. exchange keys via LF (immo) once and use AES
for RKE
29
30. Conclusions
• We informed VW Group of our findings in
back in Dec 2015 and NXP Semiconductors in
Jan 2016.
• Weaknesses in the Hitag2 cipher known for
many years but still used in new (2016)
vehicles
• This research may explain several mysterious
theft cases without signs of forced entry
• Unfortunately, poor crypto still common in
vehicles (and other long-lifetime systems)
30
and still