Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars (NDSS ) Aurélien Francillon, Boris Danev, Srdjan Čapkun (ETHZ) Wednesday System Security April Group 6, 1
Agenda 1. Overview of Car Key Systems 2. Previous Attacks: In Practice 3. Passive Keyless Entry and Start Systems 4. Relay Attacks 5. Analysis on 10 Models 6. Conclusion System Security Group 2
Modern Cars Evolution Increasing amount of electronics in cars For convenience, security and safety Entertainment Engine control Distance radar TPMS (Usenix Security 2010) Key systems On board computers and networks (S&P 2010) System Security Group 3
4 Categories of Key Systems Metallic key Remote active open Immobilizer chips Passive Keyless Entry and Start System Security Group 4
Car Keys Active Remote Open Active keys: Press a button to open the car Physical key to start the car Need to be close (<100m) Shared cryptographic key between the key and the car Previous attacks: weak cryptography e.g. Keeloq (Eurocrypt 2008, Crypto 2008, Africacrypt 2009) In Microchip devices System Security Group 5
Keys With Immobilizer Chips Immobilizer chips Passive RFID Authorizes to start the engine Close proximity: centimeters Are present in most cars today With metallic key With remote open Shared cryptographic key between the key and the car Previous attacks: weak cryptography e.g. Texas Instruments DST Usenix Security 2005 Security Analysis of a Cryptographically-Enabled RFID Device System Security Group 6
Passive Keyless Entry and Start PKES / Smart Key Need to be close (<2m) and the car opens Need to be in the car to start the engine No need for human action on the key Allows to open and start the car System Security Group 7
Agenda 1. Overview of Car Key Systems 2. Previous Attacks: In Practice 3. Passive Keyless Entry and Start Systems 4. Relay Attacks 5. Analysis on 10 Models 6. Conclusion System Security Group 8
Protocol Attacks Replay/forge messages On very badly designed systems Requirements: Eavesdrop messages + ability resend them Only a few messages are sufficient No freshness check Can be reused without the presence of the car owner Allows to create a fake key to open/close/start the car Probably no more present on the market now We found one after market system vulnerable to this attack bought on the internet System Security Group 9
Radio Jamming Attacks Requirements: A radio device close to the car Jams the frequency of the key system Thief/device needs to be present while the car is closed Jam the close radio message sent by the key car owner Prevents the car from closing User may notice, or not Does not allow by itself to start the car System Security Group 10
Cryptographic Attacks On Active Remote Open and Immobilizer Chips Requirements: Require to eavesdrop messages exchanges Sometimes thousands of exchanges Some require physical access to the key Allows to recover cryptographic key Create a fake key from cryptographic key material System Security Group 11
Software Attacks Cars are computer systems: Network of computers Critical systems (brakes, etc.) Entertainment Audio, Video Wireless Networks GSM/3G, Wireless interfaces (TPMS) Complexity brings new security problems IEEE S&P 2010, report : from UC San Diego / Washington University Possible attacks to execute malicious code on the on board computers E.g. Prevent breaking/unexpected breaking Infection from internal bus (ODB II) or remote, wireless interfaces This could lead to theft, forced accidents System Security Group 12
Agenda 1. Overview of Car Key Systems 2. Previous Attacks: in practice 3. Passive Keyless Entry and Start Systems 4. Relay Attacks 5. Analysis on 10 models 6. Conclusion System Security Group 13
PKES Modes of Operation Normal mode of operation: Uses 2 radio channels Key Car Passive Open and Start Active Remote Open Mode: Button on the key One way messages Key Car Like previous remote active open keys Battery depleted mode Passive RFID bidirectional Key Car Key fob immobilizer chip Like immobilizers: centimeters Metallic key in the key fob System Security Group 14
Passive Keyless Entry and Start PKES Need to be close (<2m) and the car opens Need to be in the car to start the engine No need for human action on the key System Security Group 15
Passive Keyless Entry and Start (Protocol Sketch) 1. Periodic scan (LF) 2. Acknowledge proximity (UHF) 3. Car ID Challenge (LF) 4. Key Response (UHF) LF (120 135 KHz), UHF (315 433 MHz), (1-2 meters) (50-100 meters) System Security Group 16
Internals of a PKES Key 433 MHz Antenna 433MHz radio + MCU 130 khz passive RFID 130KHz Coil antenna System Security Group 17
PKES Systems: Summary Cryptographic key authentication with challenge response Replaying old signals impossible Timeouts, freshness Car to Key: inductive low frequency signals Signal strength ~ d -3 Physical proximity Detected by reception of messages Induced in key s antenna The system is vulnerable to relay attacks System Security Group 18
Agenda 1. Overview of Car Key Systems 2. Previous Attacks: in practice 3. Passive Keyless Entry and Start Systems 4. Relay Attacks 5. Analysis on 10 models 6. Conclusion System Security Group 19
Relay-over-cable Attack on PKES Very low cost attack (~50 ) Independent of model / protocol / cryptography System Security Group 20
Physical Layer Relay With Cable System Security Group 21
Relay Over the Air Attack 130 KHz 2.5 GHz 130 KHz I R L I R L < 30 cm Tested up to 50 m up to 8 m Higher cost, (1000 s? ) Fast and difficult to detect Independent of model / protocol / cryptography System Security Group 22
Physical Layer Wireless Relay 2.5 GHz System Security Group 23
Agenda 1. Overview of Car Key Systems 2. Previous Attacks: In Practice 3. Passive Keyless Entry and Start Systems 4. Relay Attacks 5. Analysis on 10 Models 6. Conclusion System Security Group 24
Analysis on 10 Models Car models with PKES 10 models from 8 manufacturers All use LF/UHF technology None uses the exact same protocol Form recorded traces Some use longer messages Strong crypto? System Security Group 25
Relay Over Cable vs. Model Cables 10, 30 and 60m Longer distances Depend on the setup M9 M8 M7 M6 M5 M3 M2 M1 No Amplification Amplification System Security Group 26 10 30 60 Distance [m]
Key to Antenna Distance Open - Key to Antenna Distance vs. Model Go - Key to Antenna Distance vs. Model M9 M8 M7 M6 M5 M2 No Amplification Amplification 0 2 4 6 8 Distance [m] M9 M8 M7 M6 M5 M2 No Amplification Amplification 0 2 4 6 8 Distance [m] System Security Group 27
How Much Delay is Accepted by the Car? The largest possible distance of a relay depends on Accepted delay by the car Speed of radio waves (~ speed of light ) Possibility to relay at higher levels? E.g. relay over IP? To know that we need to delay radio signals Various lengths of cable: not practical Scope/signal generator: too slow Software Defined Radios: still too slow System Security Group 28
Inserting a Tunable Delay We used a Software Defined Radio: USRP/Gnuradio Minimum delay 15ms Samples processed by a computer Delays added by the USB bus We modified the USRP s FPGA to add flexible delay No processing on the computer From 5µs to 10ms System Security Group 29
Tunable Delay: Data path Minimum delay 15ms Data path : Radio => ADC => USRP => USB => PC => USB => USRP => DAC => Radio USRP s FPGA modification with tunable delays From 5µs to 10ms Buffering samples on the device before replay Data Path : Radio => ADC => FPGA (fifo adds delay) => DAC => Radio System Security Group 30
Maximum Accepted Delay vs. Model Maximum Accepted Delay vs. Model 35 µs => 5 Km M10 M9 M8 M7 M6 M5 M4 M2 M1 0.5 2 4 6 8 10 Delay [ms] 10 ms => 1500 Km Non physical layer relays difficult with most models System Security Group 31
Implications of The Attack Relay on a parking lot One antenna near the elevator Attacker at the car while car owner waits for the elevator Keys in locked house, car parked in front of the house E.g. keys left on the kitchen table Put an antenna close to the window, Open and start the car without entering the house Tested in practice System Security Group 32
Additionnal Insights When started the car can be driven away without maintaining the relay It would be dangerous to stop the car when the key is not available anymore Some beep, some limit speed No trace of entry/start Legal / Insurance issues System Security Group 33
Agenda 1. Overview of Car Key Systems 2. Previous Attacks: In Practice 3. Passive Keyless Entry and Start Systems 4. Relay Attacks 5. Analysis on 10 Models 6. Conclusion System Security Group 34
Countermeasures Immediate protection mechanisms Shield the key Remove the battery Seriously reduces the convenience of use Long term Build a secure system that securely verifies proximity e.g. : Realization of RF Distance bounding Usenix Security 2010 Boris Danev/ETHZ created a startup to provide solution to this: 3db Technologies GmbH Based on a low power UWB Transciver System Security Group 35
Conclusion This is a simple concept, yet extremely efficient attack Real world use of physical layer relay attacks Relays at physical layer are extremely fast, efficient All tested systems so far are vulnerable Completely independent of Protocols, authentication, encryption Techniques to perform secure distance measurement are required, on a budget Still an open problem System Security Group 36
Questions? Contact : Aurélien Francillon aurelien.francillon@inf.ethz.ch Boris Danev bdanev@inf.ethz.ch Srdjan Capkun capkuns@inf.ethz.ch System Security Group 37
Relevant Work A Practical Attack on KeeLoq, S. Indesteege, N. Keller, E. Biham, O. Dunkelman, and B. Preneel, EUROCRYPT 2008. On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoq Code Hopping Scheme,T. Eisenbarth, T. Kasper, A. Moradi, C. Paar, M. Salmasizadeh, M. T. Manzuri Shalmani Crypto 2008 Breaking KeeLoq in a Flash -On Extracting Keys at Lightning Speed-, M. Kasper, T. Kasper, A. Moradi, C. Paar. Africacrypt 2009 Security analysis of a cryptographically-enabled RFID device S. C. Bono, M.Green, A. Stubblefield, A. Juels, USENIX Security 2005 System Security Group 38
Relevant Work Experimental Security Analysis of a Modern Automobile www.autosec.org Taking Control of Cars From Afar http://www.technologyreview.com/computing/35094/ Security and Privacy Vulnerabilities of In-Car Wireless Networks: A Tire Pressure Monitoring System Case Study Wireless Car Sensors Vulnerable to Hackers http://www.technologyreview.com/communications/25962/ System Security Group 39