Relay Attacks on Passive Keyless Entry and Start · PDF fileRelay Attacks on Passive Keyless...

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars Srdjan Čapkun (joint work with Aurélien Francillon, Boris Danev)

May 11, 2011 1 System Security Group

Agenda

1.  Overview of Car Key Systems 2.  Previous Attacks: In Practice 3.  Passive Keyless Entry and Start Systems 4.  Relay Attacks 5.  Analysis on 10 Models 6.  Conclusion

May 11, 2011 2 System Security Group

Modern Cars Evolution

  Increasing amount of electronics in cars   For convenience, security and safety

3 System Security Group

Entertainment

TPMS (Usenix Security 2010)

On board computers and networks (S&P 2010)

Distance radar

Engine control

Key systems

May 11, 2011

4 Categories of Key Systems

  Metallic key   Remote active open   Immobilizer chips   Passive Keyless Entry and Start (PKES)

4 System Security Group May 11, 2011

Car Keys Active Remote Open

  Active keys:   Press a button to open the car   Physical key to start the car   Need to be close (<100m)

  Shared cryptographic key between the key and the car   Previous attacks: weak cryptography

  e.g.   Keeloq (Eurocrypt 2008, Crypto 2008, Africacrypt 2009)

  In Microchip devices


Keys With Immobilizer Chips

  Immobilizer chips   Passive RFID   Authorizes to start the engine   Close proximity: centimeters

  Are present in most cars today   With metallic key   With remote open

  Shared cryptographic key between the key and the car   Previous attacks: weak cryptography

  e.g. Texas Instruments DST Usenix Security 2005   “Security Analysis of a Cryptographically-Enabled RFID Device”


  PKES / Smart Key …   Need to be close (<2m) and the car opens   Need to be in the car to start the engine   No need for human action on the key

  Allows to open and start the car

Passive Keyless Entry and Start


Agenda



Protocol Attacks

  Replay/forge messages   On very badly designed systems

  Requirements:   Eavesdrop messages + ability resend them

  Only a few messages are sufficient   No freshness check

  Can be reused without the presence of the car owner

  Allows to create a fake key to open/close/start the car   Probably no more present on the market now   We found one “after market” system vulnerable to this attack

  bought on the internet


Radio Jamming Attacks

  Requirements:   A radio device close to the car   Jams the frequency of the key system   Thief/device needs to be present while the car is closed

  Jam the “close” radio message sent by the key car owner

  Prevents the car from closing   User may notice, or not …   Does not allow by itself to start the car


Cryptographic Attacks

  On Active Remote Open and Immobilizer Chips

  Requirements:   Require to eavesdrop messages exchanges

  Sometimes thousands of exchanges   Some require physical access to the key

  Allows to recover cryptographic key   Create a “fake key” from cryptographic key material


Software Attacks

  Cars are computer systems: Network of computers   Critical systems (brakes, etc.)   Entertainment Audio, Video…   Wireless Networks GSM/3G, Wireless interfaces (TPMS)

  Complexity brings new security problems   IEEE S&P 2010, report 2011: from UC San Diego /

Washington University   Possible attacks to execute malicious code on the on board

computers   E.g. Prevent breaking/unexpected breaking   Infection from internal bus (ODB II) or remote, wireless interfaces   This could lead to theft, forced accidents


Agenda

1.  Overview of Car Key Systems 2.  Previous Attacks: in practice 3.  Passive Keyless Entry and Start Systems 4.  Relay Attacks 5.  Analysis on 10 models 6.  Conclusion


PKES Modes of Operation

  Normal mode of operation: Passive Open and Start   Uses 2 radio channels Key Car

  Active Remote Open Mode: Button on the key   One way messages Key Car   Like previous remote active open keys

  Battery depleted mode Metallic key in the key fob   Passive RFID bidirectional Key Car   Key fob immobilizer chip   Like immobilizers : centimeters



  PKES   Need to be close (<2m) and the car opens   Need to be in the car to start the engine   No need for human action on the key



LF (120 – 135 KHz), (1-2 meters) UHF (315 – 433 MHz), (50-100 meters)


1. Periodic scan (LF)

2. Acknowledge proximity (UHF)

3. Car ID || Challenge (LF)

4. Key Response (UHF)

May 11, 2011

PKES Systems: Summary

  Cryptographic key authentication with challenge response   Replaying old signals impossible   Timeouts, freshness

  Car to Key: inductive low frequency signals   Signal strength ~ d-3

  Physical proximity   Detected by reception of messages   Induced in key’s antenna

  The system is vulnerable to relay attacks


Agenda

1.  Overview of Car Key Systems 2.  Previous Attacks: in practice 3.  Passive Keyless Entry and Start Systems (PKES) 4.  Relay Attacks on PKES 5.  Analysis on 10 models 6.  Conclusion


Relay-over-cable Attack on PKES

  Very low cost attack (~50CHF)   Independent of model / protocol / cryptography


Physical Layer Relay With Cable


Relay Over the Air Attack

  Higher cost, (~1000 CHF)   Fast and difficult to detect   Independent of model / protocol / cryptography


Tested up to 50 m

May 11, 2011

Physical Layer Wireless Relay


2.5 GHz

May 11, 2011

Agenda



Analysis on 10 Models

  Car models with PKES   10 models from 8 manufacturers   All use LF/UHF technology

  None uses the exact same protocol   Form recorded traces

  Some use longer messages   Strong crypto?


Relay Over Cable vs. Model

  Cables   10, 30 and 60m

  Longer distances   Depend on the setup


Key to Antenna Distance


How Much Delay is Accepted by the Car ?

  The maximum distance of relay depends on   Acceptable delay   Speed of radio waves (~ speed of light )

  Possibility to relay at higher levels ?   E.g. relay over IP ?

  To know that we need to delay radio signals   Various lengths of cable: not practical   Scope/signal generator: too slow   Software Defined Radios: still too slow


Inserting a Tunable Delay

  We used a Software Defined Radio: USRP/Gnuradio   Minimum delay 15ms

  Samples processed by a computer   Delays added by the USB bus

  We modified the USRP’s FPGA to add tunable delays   From 5µs to 10ms   Buffering samples on the device   Samples directly replayed

  Without processing on the computer


Maximum Accepted Delay vs. Model

35 µs => 5 Km


10 ms => 1500 Km

  Non physical layer relays difficult with most models

May 11, 2011

Implications of The Attack

  Relay on a parking lot   One antenna near the elevator   Attacker at the car while car owner waits for the elevator

  Keys in locked house, car parked in front of the house   E.g. keys left on the kitchen table   Put an antenna close to the window,   Open and start the car without entering the house   Tested in practice


Additionnal Insights

  When started the car can be driven away without maintaining the relay   It would be dangerous to stop the car when the key is not available

anymore   Some beep, some limit speed

  No trace of entry/start   Legal / Insurance issues


Agenda



Countermeasures

  Immediate protection mechanisms   Shield the key   Remove the battery

  Seriously reduces the convenience of use

  Long term   Build a secure system that securely verifies proximity

  e.g. : Realization of RF Distance bounding   Usenix Security 2010

Still some challenges to address before a usable system


Conclusion

  This is a simple concept, yet extremely efficient attack   Real world use of physical layer relay attacks   Relays at physical layer are extremely fast, efficient

  All tested systems so far are vulnerable   Completely independent of

  Protocols, authentication, encryption

  Techniques to perform secure distance measurement are required, on a budget   Still an open problem


Questions ?


Contact : Aurélien Francillon [email protected] Boris Danev [email protected] Srdjan Capkun [email protected]

May 11, 2011

Relevant Work

  A Practical Attack on KeeLoq, S. Indesteege, N. Keller, E. Biham, O. Dunkelman, and B. Preneel, EUROCRYPT 2008.

  On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoq Code Hopping Scheme,T. Eisenbarth, T. Kasper, A. Moradi, C. Paar, M. Salmasizadeh, M. T. Manzuri Shalmani Crypto 2008

  Breaking KeeLoq in a Flash -On Extracting Keys at Lightning Speed- , M. Kasper, T. Kasper, A. Moradi, C. Paar. Africacrypt 2009

  Security analysis of a cryptographically-enabled RFID device S. C. Bono, M.Green , A. Stubblefield , A. Juels, USENIX Security 2005


Relevant Work

  Experimental Security Analysis of a Modern Automobile   www.autosec.org   Taking Control of Cars From Afar http://www.technologyreview.com/

computing/35094/

  Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study   Wireless Car Sensors Vulnerable to Hackers

http://www.technologyreview.com/communications/25962/


Internals of a PKES Key


433 MHz Antenna

130 kHz passive RFID

130KHz antenna/coil

433MHz radio + MCU

May 11, 2011

Passive Keyless Entry and Start Systems (1/2)

  System overview   PKES car key   Access regions


Tunable Delay: Data path

minimum delay 15ms   Data path :

Radio => ADC => USRP => USB => PC => USB => USRP => DAC => Radio

  USRP’s FPGA modification with tunable delays   From 5µs to 10ms   Buffering samples on the device before replay   Data Path :

Radio => ADC => FPGA (fifo adds delay) => DAC => Radio


Relay Attacks on Passive Keyless Entry and Start · PDF fileRelay Attacks on Passive Keyless...

Documents

Transcript of Relay Attacks on Passive Keyless Entry and Start · PDF fileRelay Attacks on Passive Keyless...