Lock It and Lose It Anyway
Lock It and Lose It Anyway
Lock It and Lose It Anyway
David Oswald2
School of Computer Science,
University of Birmingham, UK.
d.f.oswald@bham.ac.uk
Timo Kasper2
Kasper & Oswald GmbH, Germany.
info@kasper-oswald.de
Pierre Pavlids1
School of Computer Science,
University of Birmingham, UK.
pierre@pavlides.fr
Abstract
to create a duplicate. In addition, mechanical tumbler locks and disc locks are known to be vulnerable to techniques such as lock-picking and bumping
that allow to operate a lock without the respective
key. Finally, for most types of car locks, locksmith
tools exist that allow to decode the lock and create
a matching key.
1.1
With electronic accessories becoming available, additional features were integrated into the locking and
starting systems of cars: some of them to improve
the comfort, others to increase security. On the side
of the car key, this implies some electronic circuitry
integrated in its plastic shell, as illustrated in Figure 1. Note that the link between Remote Keyless
Entry (RKE) and immobilizer is optional. In the
Hitag2 system (Section 4), the immobilizer interface
can be used to re-synchronize the counter used for
RKE, while VW Group vehicles (Section 3) completely separate RKE and immobilizer. In vehicles
with Passive Keyless Entry and Start (PKES) (Section 1.1.2), the low-frequency immobilizer link is
used to trigger the transmission of a door opening
signal over the high-frequency RKE interface.
1.1.1
Car Keys
2 These
Immobilizer Transponders
For several decades, car keys have been used to physically secure vehicles. Initially, simple mechanical
keys were introduced to open the doors, unlock the
steering, and operate the ignition lock to start the
engine. Given physical access to a mechanical key,
or at hand of a detailed photograph, it is possible
1 These
1
USENIX Association
RF
RKE
C
mechanical part
(key blade)
RKE antenna
Button(s)
optional
Immo.
RFID
Immobilizer
(125 kHz)
1.1.2
Today, certain modern cars (especially made by luxury brands) are equipped with PKES systems that
rely on a bidirectional challenge-response scheme,
with a small operating range of about one meter:
When in proximity of the vehicle, the car key generates a cryptographic response to a challenge transmitted by the car. A valid response unlocks the
doors, deactivates the alarm system, and enables the
engine to start. As a consequence, the only remaining mechanical part in some cars is a door lock for
emergencies (usually found behind a plastic cover
on the drivers side), to be used when the battery is
depleted.
Unfortunately, PKES does not require user interaction (such as a button press) on the side of the
car key to initiate the cryptographic computations
and signal transmission. The lack of user interaction makes PKES systems prone to relay attacks, in
which the challenge and response signals are relayed
via a separate wireless channel: The car key (e.g., in
the pocket of the victim) and vehicle (e.g., parked
hundreds of meters away) will assume their mutual
proximity and successfully authenticate. Since the
initial publication of these relay attacks in 2011 [14],
tools that automatically perform relay attacks on
PKES systems are available on the black market and
are potentially used by criminals to open, start, and
steal vehicles.
1.1.3
RKE systems rely on a unidirectional data transmission from the remote control, which is embedded in
the car key, to the vehicle. Upon pressing a button,
an active Radio Frequency (RF) transmitter in the
remote control usually generates signals in a freely
usable frequency band. These include the 315 MHz
band in North America and the 433 MHz or 868 MHz
band in Europe, with a typical range of several tens
to hundreds of meters. Note that a few old cars have
been using infrared technology instead of RF. RKE
systems enable the user to comfortably lock and un2
USENIX Association
trol to lock the car. The victim may not notice the
attack and thus leave the car open. A variant of
the attack is selective jamming, i.e., a combined
eavesdropping-and-jamming approach: The transmitted rolling code signal is monitored and at the
same time jammed, with the effect that the car is
not locked and the attacker possesses a temporarily
valid (one-time) rolling code. Consequently, a car
could be found appropriately locked after a burglary. This approach was first mentioned in [17] and
later practically demonstrated by [16,27]. Note that
one successful transmission of a new rolling code
from the original remote to the car usually invalidates all previously eavesdropped rolling codes, i.e.,
the time window for the attack is relatively small.
Furthermore, it is usually not possible to change
the signal contents, for example, convert a lock
command into an unlock. This limitation is often
overlooked (e.g. in [16, 27]) and severely limits the
practical threat posed by this type of attack.
1.2
In this paper, we study several extremely widespread RKE systems and reveal severe vulnerabilities, affecting millions of vehicles worldwide. Our
research was in part motivated by reports of unexplained burglaries of locked vehicles (for example [1,
2]), as well as scientific curiosity regarding the security of our own, personal vehicles.
The remainder of this paper is structured as follows: In Section 2, we briefly summarize the results
of our preliminary analysis of different RKE systems
solely by analyzing the transmitted RF signals. The
main contributions presented subsequently are:
1. In Section 3, we analyze the RKE schemes
employed in most VW Group group vehicles
between 1995 and today.
By reverseengineering the firmware of the respective Electronic Control Units (ECUs), we discovered
that VW Group RKE systems rely on cryptographic schemes with a single, worldwide master key, which allows an adversary to gain unauthorized access to an affected vehicle after
eavesdropping a single rolling code.
2. In Section 4, we study an RKE scheme based
on the Hitag2 cipher, as used by many different manufacturers. We have reverse-engineered
the protocol in a black-box fashion and present
a novel, fast correlation attack on Hitag2 applicable in an RKE context. By eavesdropping
four to eight rolling codes, an adversary can re3
USENIX Association
Preamble
Start
pattern
Payload
Checksum
With over 23% market share in Europe (September 2015) and 11.1% worldwide (August 2014), the
VW Group is amongst the leading global automotive manufacturers [13]. We had access to a wide
variety of VW Group vehicles for our security analysis, from vehicles manufactured in the early 2000s
to ones for the model year 2016. In total, the VW
Group has sold almost 100 million cars from 2002
until 2015. While not all of these vehicles use the
4
USENIX Association
published in 2015 [6] after we had carried our preliminary analysis. Note that this does not cover any
of the cryptographic algorithms presented here.
3.1
VW-1: The oldest system, used in model years until approximately 2005. The remote control transmits On-Off-Keying (OOK) modulated signals at
433.92 MHz, using pulse-width coding at a bitrate
of 0.667 kBit/s.
VW-2: Used from approximately 2004 onwards.
The operating frequency is 434.4 MHz using OOK
(same as for VW-3 and VW-4), transmitting
Manchester-encoded data at a bitrate of 1 kBit/s.
VW-3: Employed for models from approximately 2006 onwards, using a frequency of 434.4 MHz
and Manchester encoding at a bitrate of 1.667 kBit/s.
The packet format differs considerably from VW-2.
VW-4: The most recent scheme we analyzed, found
in vehicles between approximately 2009 and 2016.
The system shares frequency, encoding, and packet
format with VW-3, but uses a different encryption
algorithm (see below).
The remaining three schemes are used in
Audi vehicles from approximately 2005 until 2011
(VW-5), the VW Passat since 2005 (model B6/type
3C and newer, VW-6) and new VW vehicles like the
Golf 7 (VW-7). We have not further investigated
the security of these systems, but at least for older
vehicles, it seems likely that similar design choices
as for VW-1VW-4 were made.
For our initial analyses, we implemented the most
likely demodulation and decoding procedure for all
of the above systems. We then collected rolling codes
of multiple remote controls for each scheme and compared the resulting data. For all schemes VW-1
VW-4, we found that most of the packet content
appeared to be encrypted, except for a fixed start
pattern and the value of the pressed button sent
in plain. We hence assumed that all systems use
implicit authentication, i.e., check the correctness
of a rolling code after decryption. Demodulation
routines for VW-3 and VW-4 were independently
USENIX Association
(byte-permuted) state of a Linear Feedback Shift Register (LFSR) that is clocked a fixed number of ticks
for each new rolling code (i.e., the LFSR state has
the role of a counter). For reasons of responsible
disclosure, we do not provide the full details of the
obfuscation function and the LFSR feedback in this
paper. One bit of the final nibble btn indicates the
pressed button. The overall structure of a VW-1
rolling code packet is shown in Figure 6:
UID
0
3.2
lfsr
32
btn
56 59
3.3
start
0
UID
24
ctr
56
btn btn
80
88
95
USENIX Association
a0 a1 a2 a3 a4 a5 a6 a7
Combining function f
8
32
keyi
S-Box
Bit perm.
S-Box
8
a0 a1 a2 a3 a4 a5 a6 a7
Byte permutation
a0 a1 a2 a3 a4 a5 a6 a7
g
a0 a1 a2 a3 a4 a5 a6 a7
3.4
In newer VW Group vehicles from approximately 2009 onwards, we found an RKE system that has
the same encoding and packet structure as VW-3 (although with a different start pattern), but does not
employ the AUT64 cipher. For this system VW-4,
7
USENIX Association
3.5
Vulnerable Vehicles
Our findings affect amongst others the following VW Group vehicles manufactured between
1995 and 2016. Cars that we have practically tested
are highlighted in bold. Note that this list is not exhaustive, as we did not have access to all types and
model years of cars, and that it is unfortunately not
clear if and when a car model has been upgraded to
a newer scheme.
USENIX Association
3.5.2
Temporary Countermeasures
4.1
Hitag2 Cipher
4.3
F
x2 , x3 , x5 . . . x46 we shall define f20 : F20
2,
2
writing f (x0 . . . x47 ) as f20 (x2 , x3 , x5 . . . x46 ).
4.2
Cipher Initialization
4.4
This section describes a practical key-recovery correlation attack against Hitag2. This attack requires
a minimum of four rolling codes (traces), but will
be faster and have higher success probability if more
are provided. The rolling codes can have an arbitrary counter value, i.e., do not have to be consecutive. In fact, the probability of success is higher
USENIX Association
0
fa = 0xA63C
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
fb = 0xA770
fb = 0xA770
fc = 0xD949CBB0
fb = 0xA770
fa = 0xA63C
keystream
0x0001
16
UID
btn lctr
48 52
62
ks
0 chk
94 95 102
1. The adversary first guesses a 16-bit window corresponding to LFSR stream bits a32 . . . a47 . Observe that a32 . . . a47 = k0 . . . k15 and together with
the UID, this gives the adversary LFSR bits
a0 . . . a47 , see Definition 4.4. Also note that
a0 . . . a47 is constant over all traces. The adversary can now compute b0 = f (a0 . . . a47 ).
2. The adversary will then shift this 16-bit window
to the left of the LFSR, until bits a32 . . . a47 are on
the very left of the LFSR. This is the point when
the cipher starts outputting ks, see Equation 5.
3. Next, the adversary will compute a correlation
score for this guess. The window determines 8
input bits x0 . . . x7 to the filter function f20 (see
Figure 10) while the remaining 12 inputs remain
unknown. This correlation is taken as the ratio of
those 212 input values x8 . . . x19 that produce the
correct keystream bit (ks0 ). Furthermore, shifting our window further to the left allows the adversary to perform tests on multiple keystream
bits (ks0 . . . ks15 ). Although, with every bit shift,
the window becomes smaller as the leftmost bits
will fall outside the LFSR, meaning that more
input bits are unknown.
The power of this attack comes from using the window on the right of the LFSR to compute the necessary keystream bits to correct the internal state,
while combining different traces and using the window on the left of the LFSR to get meaningful correlation information on multiple keystream bits.
11
USENIX Association
4.5
Model
Giulietta
Cruze Hatchback
Nemo
Logan II
Punto
Ka
Delta
Colt
Micra
Vectra
Combo
207
Boxer
Clio
Master
Year
2010
2012
2009
2012
2016
2009, 2016
2009
2004
2006
2008
2016
2010
2016
2011
2011
Conclusion
USENIX Association
Security and Safety Implications The implications of our findings are manifold: Personal belongings left in a locked vehicle (as well as vehicle
components like the infotainment system) could be
stolen if a thief uses the vulnerabilities of the RKE
system to unlock the vehicle after the owner has left.
This approach is considerably more stealthy and
harder to prevent than the currently known methods of theft (e.g., using physical force or jamming
the rolling code). Moreover, since a valid rolling
code usually disables the alarm system, the theft is
more likely to remain undetected for a longer period
of time. Common recommendations like lock it or
lose it [25] or verify that the vehicle has been successfully locked and the transmission has not been
jammed (blinking direction lights, sound) are hence
no longer sufficient to effectively prevent theft. A
successful attack on the RKE and anti-theft system
would also enable or facilitate other crimes:
theft of the vehicle itself by circumventing the immobilizer system (e.g. [32, 33]) or by programming
a new key into the car via the OBD port with a
suitable tool
compromising the board computer of a modern vehicle [10, 20], which may even affect personal
safety, e.g., by deactivating the brakes while switching on the wiping system in a bend
inconspicuously placing an object or a person inside the car. The car could be locked again after the
act
on-the-road robbery, affecting the personal safety
of the driver or passengers if they (incorrectly) assume that the vehicle is securely locked
Note that due to the long range of RKE systems
it is technically feasible to eavesdrop the signals of
all cars on a parking lot or at a car dealer by placing an eavesdropping device there overnight. Afterwards, all vulnerable cars could be opened by the
adversary. Practical experiments suggest that the
13
USENIX Association
Responsible Disclosure
[7] Bogdanov, A.
Attacks on the KeeLoq Block Cipher and Authentication Systems. In Workshop on RFID Security (RFIDSec08) (2007). rfidsec07.etsit.uma.es/
slides/papers/paper-22.pdf.
[8] Bono, S. C., Green, M., Stubblefield,
A., Juels, A., Rubin, A. D., and Szydlo,
M. Security analysis of a cryptographicallyenabled RFID device. In 14th USENIX Security
Symposium (USENIX Security 2005) (2005),
USENIX Association, pp. 116.
[9] Cesare, S. Breaking the security of physical
devices. Presentation at Blackhat14, August
2014.
[10] Checkoway, S., McCoy, D., Kantor, B.,
Anderson, D., Shacham, H., Savage, S.,
Koscher, K., Czeskis, A., Roesner, F.,
and Kohno, T. Comprehensive experimental
analyses of automotive attack surfaces. In 20th
USENIX Security Symposium (USENIX Security 2011) (2011), USENIX Association, pp. 77
92.
References
[1] abc7news. Key fob car thefts, 2013. http:
//abc7news.com/archive/9079852.
[3] ATMEL.
M44C890 Low-Current Microcontroller for Wireless Communication ,
2001. datasheet, available at http://pdf1.
alldatasheet.com/datasheet-pdf/
view/118247/ATMEL/M44C890.html.
14
942 25th USENIX Security Symposium
USENIX Association
[27] spencerwhyte.
Jam Intercept and Replay Attack against Rolling Code Key Fob
Entry Systems using RTL-SDR.
Website, retrieved January 21, 2016, March 2014.
http://spencerwhyte.blogspot.ca/2014/03/delayattack-jam-intercept-and-replay.html.
[30] Verdult, R. The (in)security of proprietary cryptography. PhD thesis, Radboud University, The Netherlands and KU Leuven, Belgium, April 2015.
[31] Verdult, R., and Garcia, F. D. Cryptanalysis of the Megamos Crypto automotive immobilizer. USENIX ;login: 40, 6 (2015), pp.
1722.
[21] Laurie, A.
Fun with Masked ROMs
Atmel MARC4.
Blog entry, 2013.
http://adamsblog.aperturelabs.com/
2013/01/fun-with-masked-roms.html.
USENIX Association
[34] tembera, P., and Novotn, M. Breaking Hitag2 with reconfigurable hardware. In
14th Euromicro Conference on Digital System
Design (DSD 2011) (2011), IEEE Computer
Society, pp. 558563.
[35] Wiener,
I.
Philips/NXP Hitag2
PCF7936/46/47/52 stream cipher reference implementation. http://cryptolib.
com/ciphers/hitag2/, 2007.
16
944 25th USENIX Security Symposium
USENIX Association
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies: