Gone in 360 Seconds: Hijacking with Hitag2

Slides:



Advertisements
Similar presentations
DES The Data Encryption Standard (DES) is a classic symmetric block cipher algorithm. DES was developed in the 1970’s as a US government standard The block.
Advertisements

Ryan Kagin University of Illinois Fall 2007
Block Cipher Modes of Operation and Stream Ciphers
Lecture 6 User Authentication (cont)
“Advanced Encryption Standard” & “Modes of Operation”
Spread Spectrum Chapter 7.
Spread Spectrum Chapter 7. Spread Spectrum Input is fed into a channel encoder Produces analog signal with narrow bandwidth Signal is further modulated.
GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.
CS470, A.SelcukStream Ciphers1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Modern Symmetric-Key Ciphers
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Digital Kommunikationselektroink TNE027 Lecture 6 (Cryptography) 1 Cryptography Algorithms Symmetric and Asymmetric Cryptography Algorithms Data Stream.
Your Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
How To Not Make a Secure Protocol WEP Dan Petro.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Security Weaknesses in Bluetooth by Markus Jakobsson and Susanne Wetzel Lucent Technologies – Bell Labs presented by Boris Kurktchiev.
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
Lecture 23 Symmetric Encryption
1 CMPT 371 Data Communications and Networking Spread Spectrum.
Computer Security CS 426 Lecture 3
IWD2243 Wireless & Mobile Security
WLAN What is WLAN? Physical vs. Wireless LAN
Cryptography and Network Security Chapter 7 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Radio Frequency Identification By Bhagyesh Lodha Vinit Mahedia Vishnu Saran Mitesh Bhawsar.
GSM Network Security ‘s Research Project By: Jamshid Rahimi Sisouvanh Vanthanavong 1 Friday, February 20, 2009.
Wireless and Security CSCI 5857: Encoding and Encryption.
CWNA Guide to Wireless LANs, Second Edition Chapter Eight Wireless LAN Security and Vulnerabilities.
KAIS T A lightweight secure protocol for wireless sensor networks 윤주범 ELSEVIER Mar
Cryptography and Network Security (CS435)
A History of WEP The Ups and Downs of Wireless Security.
Slide 1 Stream Ciphers uBlock ciphers generate ciphertext Ciphertext(Key,Message)=Message  Key Key must be a random bit sequence as long as message uIdea:
RFID Payment Terminal Presented by: Rohit Kale. Introduction RFID: an automatic identification method, relying on storing and remotely retrieving data.
CS555Spring 2012/Topic 51 Cryptography CS 555 Topic 5: Pseudorandomness and Stream Ciphers.
LOGO Hardware side of Cryptography Anestis Bechtsoudis Patra 2010.
Intercepting Mobile Communications: The Insecurity of Nikita Borisov Ian Goldberg David Wagner UC Berkeley Zero-Knowledge Sys UC Berkeley Presented.
Information Security Lab. Dept. of Computer Engineering 182/203 PART I Symmetric Ciphers CHAPTER 7 Confidentiality Using Symmetric Encryption 7.1 Placement.
Stream Ciphers Making the one-time pad practical.
Stream Cipher July 2011.
CWSP Guide to Wireless Security Chapter 2 Wireless LAN Vulnerabilities.
WEP Protocol Weaknesses and Vulnerabilities
WEP AND WPA by Kunmun Garabadu. Wireless LAN Hot Spot : Hotspot is a readily available wireless connection.  Access Point : It serves as the communication.
Information Security By:-H.M.Patel. Information security There are three aspects of information security Security service Security mechanism Security.
Security Analysis of a Cryptographically- Enabled RFID Device Steve Bono, Matthew Green, Adam Stubblefield, Ari Juels, Avi Rubin, Michael Szydlo Usenix.
Data and Computer Communications Eighth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 9 – Spread Spectrum.
Shanti Bramhacharya and Nick McCarty. This paper deals with the vulnerability of RFIDs A Radio Frequency Identifier or RFID is a small device used to.
Chapter 7 – Confidentiality Using Symmetric Encryption.
Chapter 7 Confidentiality Using Symmetric Encryption.
Cody Brookshear Andy Borman
Lecture 23 Symmetric Encryption
Focus On Bluetooth Security Presented by Kanij Fatema Sharme.
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
How To Not Make a Secure Protocol WEP Dan Petro.
Presentation for CDA6938 Network Security, Spring 2006 Timing Analysis of Keystrokes and Timing Attacks on SSH Authors: Dawn Xiaodong Song, David Wagner,
Wireless Network Security CSIS 5857: Encoding and Encryption.
Giuseppe Bianchi Warm-up example WEP. Giuseppe Bianchi WEP lessons  Good cipher is far from being enough  You must make good USAGE of cipher.
Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.
Stallings, Wireless Communications & Networks, Second Edition, © 2005 Pearson Education, Inc. All rights reserved Spread Spectrum Chapter.
Chapter 7 – Confidentiality Using Symmetric Encryption.
We Engineer The Sustainable Future. The contents of this presentation are CONFIDENTIAL AND PROPRIETARY. All Rights Reserved. MLX MHz RFID/NFC.
Flavio Garcia University of Birmingham
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
หัวข้อบรรยาย Stream cipher RC4 WEP (in)security LFSR CSS (in)security.
HiTag2 RTLab 이재근.
Security Of Wireless Sensor Networks
Security of Wireless Sensor Networks
Security in Wide Area Networks
Presentation transcript:

Gone in 360 Seconds: Hijacking with Hitag2

PREAMBLE Electronic vehicle immobilizer - anti-theft device. Prevents the engine of the vehicle from starting unless the corresponding transponder is present. Passive RFID tag embedded in the car key Hitag2 Proprietary stream cipher 48-bit keys for authentication and confidentiality.

Vulnerabilities Lack of a pseudorandom number generator - renders system susceptible to replay attacks Recovery of keystream possible One in four authentication attempts leaks one bit of information about the secret key 16 bits of information over the secret key are persistent throughout different sessions.

Hardware Setup

Proxmark III board FPGA - Low-level RF operations such as modulation/demodulation Microcontroller - high-level operations like encoding/decoding of frames BPLM – encodes communication from reader to transponder Support for Manchester or Biphase - eavesdrop, generate, and read communications from reader to transponder

Functionality Public mode – contents of the user data pages are simply broadcast by the transponder Password mode – reader and transponder password authentication. Replay attack possible. Crypto mode – mutual authenticationof reader and transponder by means of a 48-bit shared key, encrypted using a proprietary stream cipher.

MEMORY 256 bits of non- volatile memory (EEPROM) Organized in 8 blocks of 4 bytes each. In crypto mode –

Communication Master-slave principle Reader sends a command to the transponder Transponder responds after a predefined period of time There are five different commands: authenticate, read, read, write, halt.

Cipher 48-bit linear feedback shift register (LFSR) Non-linear filter function f . Twenty bits of the LFSR generate one bit of keystream. LFSR shifts one bit to the left Uses the generating polynomial to generate a new bit on the right.

Authentication protocol

Hitag2 weaknesses Arbitrary length keystream oracle – Since there is no challenge from the transponder it is possible to replay any valid {nR}{aR} pair to the transponder to achieve a successful authentication. Dependencies between sessions – LFSR bits 0 to 15 remain constant throughout different session which gives a strong dependency between them. Low degree determination of the filter function - with probability 1/4 the fil- ter function f is determined by the 34-leftmost bits of the internal state.

ATTACKS Malleability attack – adversary first acquires keystream. Then uses it to read or write any block on the card Time/memory tradeoff attack – hinges on the fact that the linear difference between a state s and its n-th successor is a combination of the linear differences generated by each bit. Cryptanalytic attack - an attacker can recover the secret key after gathering a few authentication attempts from a car.

Starting a car In the dashboard of the car there is a slot to insert the remote and a button to start the engine. When a piece of plastic of suitable size is inserted in this slot the car repeatedly attempts to authenticate the transponder As soon as the car receives a valid identifier, the dashboard lights up and the LCD screen pops-up

Implementation weakness Weak random number generators – most PRNGs use the time as a seed. The time intervals do not have enough precision. Multiple authentication attempts within a time frame of one second get the same random number. More than one car may have a PRNG with dangerously low entropy

Implementation weakness Low entropy keys – some cars have repetitive patterns in their keys Vulnerable to dictionary attacks Readable keys - remote keyless entry system with wider range are vulnerable to wireless attacks A transponder which is wirelessly accessible over a distance of several meters and a non protected readable key

Implementation weakness Predictable transponder passwords - use of default or predictable passwords as transponder keys, or cryptosystem may get broken Identifier pickpocketing – use of a low-frequency (LF) interface to wirelessly pickpocket the identifier from the victim’s key. Use of wide range ultra-high frequency (UHF) interface to eavesdrop the transmission of a hybrid transponder when the victim presses a button on the remote

Mitigation Automotive industry to migrate from weak proprietary ciphers to ones like AES Extend the transponder password Delay authentication after failure Improve the pseudo-random number generator where it’s used to generate nonces

QUESTIONS!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.