Post on 06-Feb-2018
Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars Srdjan Čapkun (joint work with Aurélien Francillon, Boris Danev)
May 11, 2011 1 System Security Group
Agenda
1. Overview of Car Key Systems 2. Previous Attacks: In Practice 3. Passive Keyless Entry and Start Systems 4. Relay Attacks 5. Analysis on 10 Models 6. Conclusion
May 11, 2011 2 System Security Group
Modern Cars Evolution
Increasing amount of electronics in cars For convenience, security and safety
3 System Security Group
Entertainment
TPMS (Usenix Security 2010)
On board computers and networks (S&P 2010)
Distance radar
Engine control
Key systems
May 11, 2011
4 Categories of Key Systems
Metallic key Remote active open Immobilizer chips Passive Keyless Entry and Start (PKES)
4 System Security Group May 11, 2011
Car Keys Active Remote Open
Active keys: Press a button to open the car Physical key to start the car Need to be close (<100m)
Shared cryptographic key between the key and the car Previous attacks: weak cryptography
e.g. Keeloq (Eurocrypt 2008, Crypto 2008, Africacrypt 2009)
In Microchip devices
5 System Security Group May 11, 2011
Keys With Immobilizer Chips
Immobilizer chips Passive RFID Authorizes to start the engine Close proximity: centimeters
Are present in most cars today With metallic key With remote open
Shared cryptographic key between the key and the car Previous attacks: weak cryptography
e.g. Texas Instruments DST Usenix Security 2005 “Security Analysis of a Cryptographically-Enabled RFID Device”
6 System Security Group May 11, 2011
PKES / Smart Key … Need to be close (<2m) and the car opens Need to be in the car to start the engine No need for human action on the key
Allows to open and start the car
Passive Keyless Entry and Start
7 System Security Group May 11, 2011
Agenda
1. Overview of Car Key Systems 2. Previous Attacks: In Practice 3. Passive Keyless Entry and Start Systems 4. Relay Attacks 5. Analysis on 10 Models 6. Conclusion
8 System Security Group May 11, 2011
Protocol Attacks
Replay/forge messages On very badly designed systems
Requirements: Eavesdrop messages + ability resend them
Only a few messages are sufficient No freshness check
Can be reused without the presence of the car owner
Allows to create a fake key to open/close/start the car Probably no more present on the market now We found one “after market” system vulnerable to this attack
bought on the internet
9 System Security Group May 11, 2011
Radio Jamming Attacks
Requirements: A radio device close to the car Jams the frequency of the key system Thief/device needs to be present while the car is closed
Jam the “close” radio message sent by the key car owner
Prevents the car from closing User may notice, or not … Does not allow by itself to start the car
10 System Security Group May 11, 2011
Cryptographic Attacks
On Active Remote Open and Immobilizer Chips
Requirements: Require to eavesdrop messages exchanges
Sometimes thousands of exchanges Some require physical access to the key
Allows to recover cryptographic key Create a “fake key” from cryptographic key material
11 System Security Group May 11, 2011
Software Attacks
Cars are computer systems: Network of computers Critical systems (brakes, etc.) Entertainment Audio, Video… Wireless Networks GSM/3G, Wireless interfaces (TPMS)
Complexity brings new security problems IEEE S&P 2010, report 2011: from UC San Diego /
Washington University Possible attacks to execute malicious code on the on board
computers E.g. Prevent breaking/unexpected breaking Infection from internal bus (ODB II) or remote, wireless interfaces This could lead to theft, forced accidents
12 System Security Group May 11, 2011
Agenda
1. Overview of Car Key Systems 2. Previous Attacks: in practice 3. Passive Keyless Entry and Start Systems 4. Relay Attacks 5. Analysis on 10 models 6. Conclusion
13 System Security Group May 11, 2011
PKES Modes of Operation
Normal mode of operation: Passive Open and Start Uses 2 radio channels Key Car
Active Remote Open Mode: Button on the key One way messages Key Car Like previous remote active open keys
Battery depleted mode Metallic key in the key fob Passive RFID bidirectional Key Car Key fob immobilizer chip Like immobilizers : centimeters
14 System Security Group May 11, 2011
Passive Keyless Entry and Start
PKES Need to be close (<2m) and the car opens Need to be in the car to start the engine No need for human action on the key
15 System Security Group May 11, 2011
Passive Keyless Entry and Start
LF (120 – 135 KHz), (1-2 meters) UHF (315 – 433 MHz), (50-100 meters)
16 System Security Group
1. Periodic scan (LF)
2. Acknowledge proximity (UHF)
3. Car ID || Challenge (LF)
4. Key Response (UHF)
May 11, 2011
PKES Systems: Summary
Cryptographic key authentication with challenge response Replaying old signals impossible Timeouts, freshness
Car to Key: inductive low frequency signals Signal strength ~ d-3
Physical proximity Detected by reception of messages Induced in key’s antenna
The system is vulnerable to relay attacks
17 System Security Group May 11, 2011
Agenda
1. Overview of Car Key Systems 2. Previous Attacks: in practice 3. Passive Keyless Entry and Start Systems (PKES) 4. Relay Attacks on PKES 5. Analysis on 10 models 6. Conclusion
18 System Security Group May 11, 2011
Relay-over-cable Attack on PKES
Very low cost attack (~50CHF) Independent of model / protocol / cryptography
19 System Security Group May 11, 2011
Physical Layer Relay With Cable
20 System Security Group May 11, 2011
Relay Over the Air Attack
Higher cost, (~1000 CHF) Fast and difficult to detect Independent of model / protocol / cryptography
21 System Security Group
Tested up to 50 m
May 11, 2011
Physical Layer Wireless Relay
22 System Security Group
2.5 GHz
May 11, 2011
Agenda
1. Overview of Car Key Systems 2. Previous Attacks: In Practice 3. Passive Keyless Entry and Start Systems 4. Relay Attacks 5. Analysis on 10 Models 6. Conclusion
23 System Security Group May 11, 2011
Analysis on 10 Models
Car models with PKES 10 models from 8 manufacturers All use LF/UHF technology
None uses the exact same protocol Form recorded traces
Some use longer messages Strong crypto?
24 System Security Group May 11, 2011
Relay Over Cable vs. Model
Cables 10, 30 and 60m
Longer distances Depend on the setup
25 System Security Group May 11, 2011
Key to Antenna Distance
26 System Security Group May 11, 2011
How Much Delay is Accepted by the Car ?
The maximum distance of relay depends on Acceptable delay Speed of radio waves (~ speed of light )
Possibility to relay at higher levels ? E.g. relay over IP ?
To know that we need to delay radio signals Various lengths of cable: not practical Scope/signal generator: too slow Software Defined Radios: still too slow
27 System Security Group May 11, 2011
Inserting a Tunable Delay
We used a Software Defined Radio: USRP/Gnuradio Minimum delay 15ms
Samples processed by a computer Delays added by the USB bus
We modified the USRP’s FPGA to add tunable delays From 5µs to 10ms Buffering samples on the device Samples directly replayed
Without processing on the computer
28 System Security Group May 11, 2011
Maximum Accepted Delay vs. Model
35 µs => 5 Km
29 System Security Group
10 ms => 1500 Km
Non physical layer relays difficult with most models
May 11, 2011
Implications of The Attack
Relay on a parking lot One antenna near the elevator Attacker at the car while car owner waits for the elevator
Keys in locked house, car parked in front of the house E.g. keys left on the kitchen table Put an antenna close to the window, Open and start the car without entering the house Tested in practice
30 System Security Group May 11, 2011
Additionnal Insights
When started the car can be driven away without maintaining the relay It would be dangerous to stop the car when the key is not available
anymore Some beep, some limit speed
No trace of entry/start Legal / Insurance issues
31 System Security Group May 11, 2011
Agenda
1. Overview of Car Key Systems 2. Previous Attacks: In Practice 3. Passive Keyless Entry and Start Systems 4. Relay Attacks 5. Analysis on 10 Models 6. Conclusion
32 System Security Group May 11, 2011
Countermeasures
Immediate protection mechanisms Shield the key Remove the battery
Seriously reduces the convenience of use
Long term Build a secure system that securely verifies proximity
e.g. : Realization of RF Distance bounding Usenix Security 2010
Still some challenges to address before a usable system
33 System Security Group May 11, 2011
Conclusion
This is a simple concept, yet extremely efficient attack Real world use of physical layer relay attacks Relays at physical layer are extremely fast, efficient
All tested systems so far are vulnerable Completely independent of
Protocols, authentication, encryption
Techniques to perform secure distance measurement are required, on a budget Still an open problem
34 System Security Group May 11, 2011
Questions ?
35 System Security Group
Contact : Aurélien Francillon aurelien.francillon@inf.ethz.ch Boris Danev bdanev@inf.ethz.ch Srdjan Capkun capkuns@inf.ethz.ch
May 11, 2011
Relevant Work
A Practical Attack on KeeLoq, S. Indesteege, N. Keller, E. Biham, O. Dunkelman, and B. Preneel, EUROCRYPT 2008.
On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoq Code Hopping Scheme,T. Eisenbarth, T. Kasper, A. Moradi, C. Paar, M. Salmasizadeh, M. T. Manzuri Shalmani Crypto 2008
Breaking KeeLoq in a Flash -On Extracting Keys at Lightning Speed- , M. Kasper, T. Kasper, A. Moradi, C. Paar. Africacrypt 2009
Security analysis of a cryptographically-enabled RFID device S. C. Bono, M.Green , A. Stubblefield , A. Juels, USENIX Security 2005
36 System Security Group May 11, 2011
Relevant Work
Experimental Security Analysis of a Modern Automobile www.autosec.org Taking Control of Cars From Afar http://www.technologyreview.com/
computing/35094/
Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study Wireless Car Sensors Vulnerable to Hackers
http://www.technologyreview.com/communications/25962/
37 System Security Group May 11, 2011
Internals of a PKES Key
38 System Security Group
433 MHz Antenna
130 kHz passive RFID
130KHz antenna/coil
433MHz radio + MCU
May 11, 2011
Passive Keyless Entry and Start Systems (1/2)
System overview PKES car key Access regions
39 System Security Group May 11, 2011
Tunable Delay: Data path
minimum delay 15ms Data path :
Radio => ADC => USRP => USB => PC => USB => USRP => DAC => Radio
USRP’s FPGA modification with tunable delays From 5µs to 10ms Buffering samples on the device before replay Data Path :
Radio => ADC => FPGA (fifo adds delay) => DAC => Radio
40 System Security Group May 11, 2011