563.12.2 Keyless Entry

Ryan Kagin

University of IllinoisFall 2007

Overview

• History

• Structure

• Communication protocols

• Automobile applications

• Security issues

• Case Study: Texas Instruments Device

2

History

• 1950’s: Garage door openers used one common frequency for all garage doors

• 1970’s: DIP switches used to vary transceiver / transmitter codes

• 1993: Lectron’s passive keyless entry for Corvette

Brain 07, Hirano 88 3

Comparison Between Garage Doors and Automobile Systems

Garage Door Openers• Less security threat• One-way

communication• Simple programming

– allow garage door to receive shared key

• Allow multiple openers for one door

Automobile Systems• High security threat

model• Uses combination of

one-way and two-way communication

• Shared key preprogrammed into automobile and key

Basic Structure

• Contains 2 parts:– Transmitter (typically key fob)– Receiver (typically automobile)

• Current designs use:– Two way communication– LF for sleeping mode

5

Communication Protocols

1. Fixed Code Technique

– Transmit constant code within certain range, similar to garage door openers in the past.

– Typically unusued: moved away from this because of scan and replay attacks

6Alrabady 05

Communication Protocols

2. Rolling Code Technique– Initially start with 40-bit counter– Each communication first transmits counter,

then increments it in algorithmic fashion– Automobile verifies transmitted code– Precautions: padding and “resynchronizing”

7Alrabady 05

Communication Protocols

3. Challenge-Response Technique– Automobile challenges key fob by sending

random number– Key fob encrypts it and sends it back to

automobile– Automobile compares for validity– Used in remote keyless entry

Alrabady 05 8

Applications in Automobiles

Three main components:

• Remote Keyless Entry System (RKE)– Also includes passive keyless entry

• Remote Keyless Ignition System (RKI)

• Immobilizer (Im)

9

Remote Keyless Entry System

• A system designed to remotely permit or deny access to premises or automobiles.

• Typically uses rolling code technique– When button is pressed, function code and

counter is sent– Automobile verifies counter and performs

function if correct

Alrabady 03 10

Passive Keyless Entry

• Typically uses challenge-response technique– When reaching for door handle, automobile

wakes key fob with LF signal– Communication begins when pulling

commences.– Requires fast protocol to prevent mechanical

jam.

Alrabady 03, 05 11

Passive Keyless Entry

12

Challenge with pseudorandom number

User pulls door handle

Time

Key fob computes response

If response is valid,automobile performsrequested function.

The key to the protocol: it needs to be fast to prevent mechanical jam

Automobile computes expected response

Remote Keyless Ignition

• A system that allows remote communication to start or turn off a car.

• Also typically uses challenge-response technique

Alrabady 03 13

Immobilizer

• An electronic device fitted to an automobile which prevents the engine from running unless the correct key is present.

• If key fob is not present, then fuel does not get injected into the engine.

14

Security Issues

Types of attacks:

1. Scan attack – generic brute force

2. Playback attack – record old messages

3. Two-thief attack – generic man-in-the-middle attack

4. Challenge forward prediction attack – predict future answer from previous

5. Dictionary attack – compile valid pairs

Alrabady 05

Case Study: TRC1300

Texas Instruments Remote Control Encoders/Decoders

• Uses 40-bit rolling code ~1.1 trillion different potential codes

• Transmitter sends 40-bit code and function code (up to 15 different codes)

• Both transmitter and receiver use same pseudorandom number generator

Case Study: TRC1300

References

1. Marshall Brian, “How Remote Entry Works”, http://auto.howstuffworks.com/remote-entry.htm, accessed 11 Nov 2007.

2. Ansaf Ibrahem Alrabady and Syed Masud Mahmud, “Some Attacks Against Vehicles’ Passive Entry Systems and Their Solutions”. IEEE Transactions on Vehicular Technology, vol. 52, no. 2, pp. 431-439 , March 2003.

3. Ansaf Ibrahem Alrabady and Syed Masud Mahmud, “Analysis of Attacks Against the Security of Keyless-Entry Systems for Vehicles and Suggestions for Improved Designs. IEEE Transactions on Vehicular Technology, vol. 54, no. 1, pp. 41-50, January 2005.

4. Xiao Ni and Victor Foo Siang Fook, “AES Security Protocol Implementation for Automobile Remote Keyless System”. IEEE Transactions on Vehicular Technology, vol. 56, no. 3, pp. 2526-2529 , April 2007.

5. Steve Bono, Matthew Green, Adam Stubblefield, and Avi Rubin, “Analysis of the Texas Instruments DST RFID”, http://web.archive.org/web/20061013023542/http://rfid-analysis.org/ accessed 11 Nov 2007.

6. Texas Instruments, “TRC1300 Specifications”, http://focus.ti.com/lit/ds/slws011d/slws011d.pdf accessed 11 Nov 2007.

7. M. Hirano, M. Takeuchi, T. Tomoda, and K. Nakano, “Keyless entry system with radio card transponder”, IEEE Transactions on Industrial Electronics and Control, vol. 35, no. 2, pp. 208-216, March 2007.

18