relay attacks on passive keyless entry and start...
TRANSCRIPT
Relay Attacks on Passive Keyless
Entry and Start Systems in Modern
Cars
(NDSS 2011)
Aurélien Francillon,
Boris Danev, Srdjan Čapkun (ETHZ)
Wednesday April 6,
2011
1 System Security Group
Agenda
1. Overview of Car Key Systems
2. Previous Attacks: In Practice
3. Passive Keyless Entry and Start Systems
4. Relay Attacks
5. Analysis on 10 Models
6. Conclusion
Wednesday April 6,
2011
System Security Group 2
Modern Cars Evolution
Increasing amount of electronics in cars
For convenience, security and safety
Wednesday April 6,
2011
System Security Group 3
Entertainment
TPMS
(Usenix Security 2010)
On board computers and networks
(S&P 2010)
Distance radar
Engine control
Key systems
4 Categories of Key Systems
Metallic key
Remote active open
Immobilizer chips
Passive Keyless Entry and Start
Wednesday April 6,
2011
System Security Group 4
Car Keys Active Remote Open
Active keys:
Press a button to open the car
Physical key to start the car
Need to be close (<100m)
Shared cryptographic key between the key and the car
Previous attacks: weak cryptography
e.g.
– Keeloq (Eurocrypt 2008, Crypto 2008, Africacrypt 2009)
In Microchip devices
Wednesday April 6,
2011
System Security Group 5
Keys With Immobilizer Chips
Immobilizer chips Passive RFID
Authorizes to start the engine
Close proximity: centimeters
Are present in most cars today With metallic key
With remote open
Shared cryptographic key between the key and the car
Previous attacks: weak cryptography e.g. Texas Instruments DST Usenix Security 2005
“Security Analysis of a Cryptographically-Enabled RFID Device”
Wednesday April 6,
2011
System Security Group 6
Passive Keyless Entry and Start
PKES / Smart Key …
Need to be close (<2m) and the car opens
Need to be in the car to start the engine
No need for human action on the key
Allows to open and start the car
Wednesday April 6,
2011
System Security Group 7
Agenda
1. Overview of Car Key Systems
2. Previous Attacks: In Practice
3. Passive Keyless Entry and Start Systems
4. Relay Attacks
5. Analysis on 10 Models
6. Conclusion
Wednesday April 6,
2011
System Security Group 8
Protocol Attacks
Replay/forge messages
On very badly designed systems
Requirements:
Eavesdrop messages + ability resend them
– Only a few messages are sufficient
– No freshness check
Can be reused without the presence of the car owner
Allows to create a fake key to open/close/start the car
Probably no more present on the market now
We found one “after market” system vulnerable to this attack
– bought on the internet
Wednesday April 6,
2011
System Security Group 9
Radio Jamming Attacks
Requirements:
A radio device close to the car
Jams the frequency of the key system
Thief/device needs to be present while the car is closed
Jam the “close” radio message sent by the key car
owner
Prevents the car from closing
User may notice, or not …
Does not allow by itself to start the car
Wednesday April 6,
2011
System Security Group 10
Cryptographic Attacks
On Active Remote Open and Immobilizer Chips
Requirements:
Require to eavesdrop messages exchanges
– Sometimes thousands of exchanges
Some require physical access to the key
Allows to recover cryptographic key
Create a “fake key” from cryptographic key material
Wednesday April 6,
2011
System Security Group 11
Software Attacks
Cars are computer systems: Network of computers
Critical systems (brakes, etc.)
Entertainment Audio, Video…
Wireless Networks GSM/3G, Wireless interfaces (TPMS)
Complexity brings new security problems
IEEE S&P 2010, report 2011: from UC San Diego /
Washington University
Possible attacks to execute malicious code on the on board
computers
E.g. Prevent breaking/unexpected breaking
Infection from internal bus (ODB II) or remote, wireless interfaces
This could lead to theft, forced accidents
Wednesday April 6,
2011
System Security Group 12
Agenda
1. Overview of Car Key Systems
2. Previous Attacks: in practice
3. Passive Keyless Entry and Start Systems
4. Relay Attacks
5. Analysis on 10 models
6. Conclusion
Wednesday April 6,
2011
System Security Group 13
PKES Modes of Operation
Normal mode of operation: Passive Open and Start
Uses 2 radio channels Key Car
Active Remote Open Mode: Button on the key
One way messages Key Car
Like previous remote active open keys
Battery depleted mode Metallic key in the key fob
Passive RFID bidirectional Key Car
Key fob immobilizer chip
Like immobilizers: centimeters
Wednesday April 6,
2011
System Security Group 14
Passive Keyless Entry and Start
PKES
Need to be close (<2m) and the car opens
Need to be in the car to start the engine
No need for human action on the key
Wednesday April 6,
2011
System Security Group 15
Passive Keyless Entry and Start
(Protocol Sketch)
LF (120 – 135 KHz), (1-2 meters)
UHF (315 – 433 MHz), (50-100 meters)
Wednesday April 6,
2011
System Security Group 16
1. Periodic scan (LF)
2. Acknowledge proximity (UHF)
3. Car ID || Challenge (LF)
4. Key Response (UHF)
Internals of a PKES Key
Wednesday April 6,
2011
System Security Group 17
433 MHz
Antenna
130 kHz passive
RFID
130KHz
Coil antenna
433MHz radio
+ MCU
PKES Systems: Summary
Cryptographic key authentication with challenge
response
Replaying old signals impossible
Timeouts, freshness
Car to Key: inductive low frequency signals
Signal strength ~ d-3
Physical proximity
Detected by reception of messages
Induced in key’s antenna
The system is vulnerable to relay attacks
Wednesday April 6,
2011
System Security Group 18
Agenda
1. Overview of Car Key Systems
2. Previous Attacks: in practice
3. Passive Keyless Entry and Start Systems
4. Relay Attacks
5. Analysis on 10 models
6. Conclusion
Wednesday April 6,
2011
System Security Group 19
Relay-over-cable Attack on PKES
Very low cost attack (~50€ )
Independent of model / protocol / cryptography
Wednesday April 6,
2011
System Security Group 20
Physical Layer Relay With Cable
Wednesday April 6,
2011
System Security Group 21
Relay Over the Air Attack
Higher cost, (1000’s € ? )
Fast and difficult to detect
Independent of model / protocol / cryptography
Wednesday April 6,
2011
System Security Group 22
RL
I
up to 8 m
130 KHz2.5 GHz
< 30 cm
130 KHz
RL
I
Tested up to 50 m
Physical Layer Wireless Relay
Wednesday April 6,
2011
System Security Group 23
2.5 GHz
Agenda
1. Overview of Car Key Systems
2. Previous Attacks: In Practice
3. Passive Keyless Entry and Start Systems
4. Relay Attacks
5. Analysis on 10 Models
6. Conclusion
Wednesday April 6,
2011
System Security Group 24
Analysis on 10 Models
Car models with PKES
10 models from 8 manufacturers
All use LF/UHF technology
None uses the exact same protocol
Form recorded traces
Some use longer messages
Strong crypto?
Wednesday April 6,
2011
System Security Group 25
Relay Over Cable vs. Model
Cables
10, 30 and 60m
Longer distances
Depend on the setup
Wednesday April 6,
2011
System Security Group 26
10 30 60
M1
M2
M3
M5
M6
M7
M8
M9
Distance [m]
No Amplification
Amplification
Key to Antenna Distance
0 2 4 6 8
M2
M5
M6
M7
M8
M9
Distance [m]
Open - Key to Antenna Distance vs. Model
No Amplification
Amplification
Wednesday April 6,
2011
System Security Group 27
0 2 4 6 8
M2
M5
M6
M7
M8
M9
Distance [m]
Go - Key to Antenna Distance vs. Model
No Amplification
Amplification
How Much Delay is Accepted by the Car ?
The largest possible distance of a relay depends on
Accepted delay by the car
Speed of radio waves (~ speed of light )
Possibility to relay at higher levels ?
E.g. relay over IP ?
To know that we need to delay radio signals
Various lengths of cable: not practical
Scope/signal generator: too slow
Software Defined Radios: still too slow
Wednesday April 6,
2011
System Security Group 28
Inserting a Tunable Delay
We used a Software Defined Radio: USRP/Gnuradio
Minimum delay 15ms
Samples processed by a computer
Delays added by the USB bus
We modified the USRP’s FPGA to add flexible delay
No processing on the computer
From 5µs to 10ms
Wednesday April 6,
2011
System Security Group 29
Tunable Delay: Data path
Minimum delay 15ms
Data path :
Radio => ADC => USRP => USB => PC => USB => USRP => DAC => Radio
USRP’s FPGA modification with tunable delays
From 5µs to 10ms
Buffering samples on the device before replay
Data Path :
Radio => ADC => FPGA (fifo adds delay) => DAC => Radio
Wednesday April 6,
2011
System Security Group 30
0.5 2 4 6 8 10
M1
M2
M4
M5
M6
M7
M8
M9
M10
Delay [ms]
Maximum Accepted Delay vs. Model
Maximum Accepted Delay vs. Model
35 µs => 5 Km
Wednesday April 6,
2011
System Security Group 31
10 ms => 1500 Km
Non physical layer
relays difficult with
most models
Implications of The Attack
Relay on a parking lot
One antenna near the elevator
Attacker at the car while car owner waits for the elevator
Keys in locked house, car parked in front of the house
E.g. keys left on the kitchen table
Put an antenna close to the window,
Open and start the car without entering the house
Tested in practice
Wednesday April 6,
2011
System Security Group 32
Additionnal Insights
When started the car can be driven away without
maintaining the relay
It would be dangerous to stop the car when the key is not available
anymore
Some beep, some limit speed
No trace of entry/start
Legal / Insurance issues
Wednesday April 6,
2011
System Security Group 33
Agenda
1. Overview of Car Key Systems
2. Previous Attacks: In Practice
3. Passive Keyless Entry and Start Systems
4. Relay Attacks
5. Analysis on 10 Models
6. Conclusion
Wednesday April 6,
2011
System Security Group 34
Countermeasures
Immediate protection mechanisms
Shield the key
Remove the battery
Seriously reduces the convenience of use
Long term
Build a secure system that securely verifies proximity
e.g. : Realization of RF Distance bounding
Usenix Security 2010
Boris Danev/ETHZ created a startup to provide solution
to this: 3db Technologies GmbH
Based on a low power UWB Transciver
Wednesday April 6,
2011
System Security Group 35
Conclusion
This is a simple concept, yet extremely efficient attack
Real world use of physical layer relay attacks
Relays at physical layer are extremely fast, efficient
All tested systems so far are vulnerable
Completely independent of
Protocols, authentication, encryption
Techniques to perform secure distance measurement
are required, on a budget
Still an open problem
Wednesday April 6,
2011
System Security Group 36
Questions ?
Wednesday April 6,
2011
System Security Group 37
Contact : Aurélien Francillon [email protected]
Boris Danev [email protected]
Srdjan Capkun [email protected]
Relevant Work
A Practical Attack on KeeLoq, S. Indesteege, N. Keller, E. Biham,
O. Dunkelman, and B. Preneel, EUROCRYPT 2008.
On the Power of Power Analysis in the Real World: A Complete
Break of the KeeLoq Code Hopping Scheme,T. Eisenbarth, T.
Kasper, A. Moradi, C. Paar, M. Salmasizadeh, M. T. Manzuri
Shalmani Crypto 2008
Breaking KeeLoq in a Flash -On Extracting Keys at Lightning
Speed- , M. Kasper, T. Kasper, A. Moradi, C. Paar. Africacrypt 2009
Security analysis of a cryptographically-enabled RFID device S. C.
Bono, M.Green , A. Stubblefield , A. Juels, USENIX Security 2005
Wednesday April 6,
2011
System Security Group 38
Relevant Work
Experimental Security Analysis of a Modern Automobile
www.autosec.org
Taking Control of Cars From Afar http://www.technologyreview.com/computing/35094/
Security and Privacy Vulnerabilities of In-Car Wireless Networks: A
Tire Pressure Monitoring System Case Study
Wireless Car Sensors Vulnerable to Hackers
http://www.technologyreview.com/communications/25962/
Wednesday April 6,
2011
System Security Group 39