LOCK IT AND STILL LOSE IT ON THE (IN)SECURITY OF AUTOMOTIVE REMOTE KEYLESS ENTRY SYSTEMS

Similar documents
Lock It and S,ll Lose It - On the (In)Security of Automo,ve Remote Keyless Entry Systems

Overview of some automotive RKE systems

Cracking HiTag2 Crypto

Automotive Security: The Bad and the Ugly. Flavio Garcia University of Birmingham

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

CRYPTOGRAPHIC ENGINEERING ASSIGNMENT II Theoretical: Design Weaknesses in MIFARE Classic

CPSC 467b: Cryptography and Computer Security

Hitag 2 Hell Brutally Optimizing Guess-and-Determine Attacks

Cryptanalysis of KeeLoq code-hopping using a Single FPGA

Cryptanalysis of KeeLoq with COPACOBANA

CSC 474/574 Information Systems Security

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks. Presented by Paul Ruggieri

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

1.264 Lecture 26. Security protocols. Next class: Anderson chapter 4. Exercise due before class

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Analysis of Security or Wired Equivalent Privacy Isn t. Nikita Borisov, Ian Goldberg, and David Wagner

Token, Transponder und RFID-Tags Angriffe auf elektronische Zugangskontrollsysteme

Hacking challenge: steal a car!

CPSC 467b: Cryptography and Computer Security

KeeLoq and Side-Channel Analysis Evolution of an Attack

18-642: Cryptography 11/15/ Philip Koopman

Block Cipher Modes of Operation

Dismantling the AUT64 Automotive Cipher

Chapter 3 Block Ciphers and the Data Encryption Standard

ATAK51004-V2 User's Guide

February.18. Abrites Diagnostics for BMW/ Mini version User Manual. Abrites Diagnostics for BMW/Mini version User Manual 1.

Content of this part

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

Stream Ciphers. Stream Ciphers 1

ON SECURITY OF BLUETOOTH WIRELESS SYSTEM. Pavel Kucera, Petr Fiedler, Zdenek Bradac, Ondrej Hyncica

Modes of Operation. Raj Jain. Washington University in St. Louis

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Cryptographic Concepts

Broken keys to the kingdom

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

Remote Keyless Entry In a Body Controller Unit Application

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Breaking the Bitstream Decryption of FPGAs

CIS 4360 Secure Computer Systems Symmetric Cryptography

Cryptography and Network Security

Cryptography [Symmetric Encryption]

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

IS CAR HACKING OVER? AUTOSAR SECURE ONBOARD COMMUNICATION

05 - WLAN Encryption and Data Integrity Protocols

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

Security: Cryptography

Introduction to Modern Symmetric-Key Ciphers

10/21/2016. ECE 120: Introduction to Computing. Let s Extend Our Keyless Entry FSM. FSM Designs Also Allow Use of Abstraction

Computer Security 3/23/18

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

18-642: Cryptography

FLIGHT TERMINATION COMMAND AUTHENTICATION USING BLOCK ENCRYPTION

A Security Module for Car Appliances

EEC-484/584 Computer Networks

Modern Symmetric Block cipher

Worksheet - Reading Guide for Keys and Passwords

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Bluetooth. March 28, 2005 Patrick Lui

Crypto: Symmetric-Key Cryptography

DataTraveler 5000 (DT5000) and DataTraveler 6000 (DT6000) Ultimate Security in a USB Flash Drive. Submitted by SPYRUS, Inc.

CSC 474/574 Information Systems Security

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

CCMP Advanced Encryption Standard Cipher For Wireless Local Area Network (IEEE i): A Comparison with DES and RSA

Adversary Models. CPEN 442 Introduction to Computer Security. Konstantin Beznosov

How to Hack Your Mini Cooper: Reverse Engineering CAN Messages on Passenger Automobiles

Practical Aspects of Modern Cryptography

Security. Communication security. System Security

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

CPS2323. Symmetric Ciphers: Stream Ciphers

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

RFID tags. Inductive coupling is used for. energy transfer to card transmission of clock signal data transfer

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

Fingerprint Identification Keyless Entry System

Tiny Encryption Algorithm

Anonymity. Assumption: If we know IP address, we know identity

Fingerprint Identification Keyless Entry System

Technological foundation

Computer Security CS 526

Chapter 6. Stream Cipher Design

Securing the Connected Car. Eystein Stenberg Product Manager Mender.io

Automotive Attack Surfaces. UCSD and University of Washington

BreakingVault SAP DataVault Security Storage vulnerabilities

Secret Key Algorithms (DES)

Message Authentication Codes and Cryptographic Hash Functions

DEFCON 26 - Playing with RFID. by Vanhoecke Vinnie

The Final Nail in WEP s Coffin

Elements of Security

Block Cipher Modes of Operation

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

Information Security CS526

CSC574: Computer & Network Security

Green Lights Forever: Analyzing the Security of Traffic Infrastructure

CPSC 467: Cryptography and Computer Security

Block Ciphers. Secure Software Systems

HAI Network Communication Protocol Description

SEL-3021 Serial Encrypting Transceiver Security Policy Document Version 1.9

Stream Ciphers An Overview

Transcription:

LOCK IT AND STILL LOSE IT ON THE (IN)SECURITY OF AUTOMOTIVE REMOTE KEYLESS ENTRY SYSTEMS FLAVIO GARCIA, DAVID OSWALD, TIMO KASPER, PIERRE PAVLIDES PRESENTED BY JACOB BEDNARD, WAYNE STATE UNIVERSITY CSC5991

MAJOR CONTRIBUTIONS VW Group vehicles manufactured between 1995 and 2016 are vulnerable due to key reuse in cryptographic algorithms used for remote keyless entry (RKE) Correlation-based attack on Hitag2 which allows recovery of the cryptographic key used in RKE

GAINING ACCESS TO VEHICLES PHYSICAL KEYS

GAINING ACCESS TO VEHICLES ELECTRONIC KEYS

IMMOBILIZER VS REMOTE KEYLESS ENTRY

PASSIVE KEYLESS ENTRY AND START Always on One Meter Radius of Vehicle Bidirectional Challenge Response Scheme Prone to relay attacks Blackmarket tools available

REMOTE KEYLESS ENTRY SYSTEMS (RKE) Used to unlock a vehicle from a distance Unidirectional data transmission from the remote control to vehicle RF Transmitter transmits in the 315Mhz (433/868Mhz - EU) Frequency Band Communication range: 10 s-to-100 s of meters Some use infrared First implementation lacked any means of security

MODERN REMOTE KEYLESS ENTRY Cryptography! Counter value that increments on each button press (i.g. Rolling Code) Comparison of counter between vehicle/remote No replay attacks

RELATED WORK KEELOQ (2008) Used in Garage Door Remote Openers Broken by Cryptoanalysis, Sidechannel Attacks. Cesare (2014) Showed that RKE rolling codes can be predicted by analyzing three-subsequent rolling codes.

NAÏVE APPROACH Selective Jamming When a car owner locks their car, a malicious actor may jam the lock signal from the remote while also recording the transmission. This blocks the car from locking and the actor can utilize a replay attack to access the car. Not that feasible you recorded a lock signal (not an unlock)

PRELIMINARY ANALYSIS OF RKE Bought a variety of RKE remote controls Analyzed their RF outputs using Software Define Radios (SDR) Arduino SDR Platform Majority used Amplitude Shift Keying (ASK) Others used Frequency Shift Keying (FSK) Manchester Encoding or Pulse-width Encoding Bitrate: 1-20 kilobits/second

PRELIMINARY ANALYSIS OF RKE

PRELIMINARY ANALYSIS OF RKE General Frame Layout:

PRELIMINARY ANALYSIS OF RKE Message Authentication: Payload Layout: Unique Identifier (UID) Rolling Counter Value Button Pressed

CASE STUDY 1 VW GROUP ATTACKS Analyzed RKE schemes used in most VW Group vehicles manufactured between 1995 and 2016 How secure are modern RKE systems? Utilized personal vehicles for testing

CASE STUDY 1 VW GROUP ATTACKS Analyzed 7 schemes, 4 of which are discussed:

CASE STUDY 1 VW GROUP ATTACKS Initial Procedure Implement likely modulation/demodulation procedure Test! Realized that key derivation was likely done on the engine control unit (ECU) side.

CASE STUDY 1 VW GROUP ATTACKS Bought numerous ECU s for testing Dumped firmware for Static Analysis Looked for constants, lookups, ciphers, etc. (Can t really tell us much because of disclosure policy)

CASE STUDY 1 VW GROUP ATTACKS VW-1 Scheme: Security by Obscurity First four bytes hold XOR ed UID Linear Feedback Shift Register (LSFR) Unencrypted Counter The button pressed Modified Replay Attacks! (Increment Counter)

CASE STUDY 1 VW GROUP ATTACKS VW-2, VW-3 Schemes: Preamble 8-byte encrypted payload Button Pressed

CASE STUDY 1 VW GROUP ATTACKS VW-2, VW-3 Schemes: Preamble 8-byte encrypted payload Button Pressed AUT64 Encryption Round-cipher 91.55 bit key size GLOBAL MASTER KEY is REUSED ACROSS EVERY VEHICLE

CASE STUDY 1 VW GROUP ATTACKS

CASE STUDY 1 VW GROUP ATTACKS VW-4 Scheme: Same frame format as VW-3 XTEA-cipher 64 Round Feistel Structure, 64-bit block size, 128-bit key Well suited for low-powered remotes Again GLOBAL MASTER KEYS

CASE STUDY 1 VW GROUP ATTACKS Miscellaneous stuff about Counter: Using counter more than 2 increments behind disable remote entry. Must manually be reset 2 or Less Increments behind places remote out of step. Button pressed must happen twice to successfully work.

CASE STUDY 1 VW GROUP ATTACKS Implications: If you successfully can obtain the master key (ECU dump, Bruteforce, etc), you can decrypt the current counter and UID values Access Gained unforcefully Nearly 20 years worth of Volkswagen vehicles vulnerable

CASE STUDY 1 VW GROUP ATTACKS Counter Measures: Physical Locks Seriously that s it.

CASE STUDY 2 HITAG2 SYSTEM Rolling code system Example of RKE Scheme Designed by NXP Not known to use Global Master Keys

CASE STUDY 2 HITAG2 SYSTEM Rolling code system Example of RKE Scheme Designed by NXP Not known to use Global Master Keys Researchers can still crack after 4-8 button presses

CASE STUDY 2 HITAG2 SYSTEM Hitag2 Scheme UID (32-bit) + button(4-bit) + counter(10 of 28 LSB) + checksum(8-bit)

CASE STUDY 2 HITAG2 SYSTEM Hitag2 Stream Cipher 48-bit LSFR Non-Linear Filter Function For each clock cycle: 20-bits are put through filter function 1-bit Key Stream LSFR << 1 Feedback polynomial used to generate new bit on right of LSFR

CASE STUDY 2 HITAG2 SYSTEM Hitag2 Correlation Attack

CASE STUDY 2 HITAG2 SYSTEM Hitag2 Correlation Attack

Hitag2 Correlation Attack

CASE STUDY 2 HITAG2 SYSTEM Results: ~1-Minute Average to crack with typical Laptop Maximum Crack time: ~10-Minutes Issue does arise when guessing the 18-MSBs of counter Not a big deal though. Counter MSBs can be predicted by model year of car

OVERALL VW RKEs are vulnerable because of Master Key reuse Only takes a recording of 1-button press transmit to crack Hitag2 RKEs are vulnerable due to flaw in cryptography Takes 4-8 Button Presses to crack

CONCLUSION Lock it or Lose it is no longer a valid statement (in some cases)

DISCLOSURE

Questions / Comments / Discussion

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback