Presentation is loading. Please wait.

Presentation is loading. Please wait.

Flavio Garcia University of Birmingham

Published byAndra Mosley Modified over 8 years ago

Similar presentations

Presentation on theme: "Flavio Garcia University of Birmingham"— Presentation transcript:

1 Flavio Garcia University of Birmingham
Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer or “If we can’t get the car key right…” Flavio Garcia University of Birmingham

2 A bit of context This paper was first accepted at Usenix Security’13
VW sought an injunction from the High Court of London to prevent publication The High Court of London granted an interim injunction and therefore we had to withdraw the article We have now reached an amicable settlement without any admission of liability The paper was finally published at Usenix Security’15 with minor redactions

3 Vehicle Immobilizers Passive RFID Tags (125 KHz) Prevent hot-wiring
Mandatory Europe (EU Directive 95/56/EC) Australia (AS/NZS 4601:1999) Canada (CAN/ULC S ) Prevent insurance fraud Should not be confused with remote controls that unlock the car doors (433 MHz)

4 Vehicle Immobilizers

5 Three main immobilizer chips used (2012-13)
TI’s DST (40-bit key) Bono et al. “Security Analysis of a Cryptographically-Enabled RFID Device” [Usenix Security’05] NXP’s Hitag (48-bit key) Analysed in our paper “Gone in 360 Seconds: Hijacking with Hitag2” [Usenix Security’12] EM’s Megamos Crypto (96-bit key) This talk [Usenix Security’15]

6 Megamos Crypto Usage (2013)

7 Tag Memory layout (from datasheet)

8 Megamos Authentication Protocol
id = 32-bit Tag identifier nC = 56-bit Car nonce aC = 28-bit Car authenticator (keystream) aT = 20-bit Tag authenticator (keystream)

9 NEC uPD78P083 has simply no protection
… but you can also read it directly from the car’s ECU NEC uPD78P083 has simply no protection

10 Cryptanalysis - Pre-requisites
Requires access to the car and the car key Adversary needs to turn the ignition on twice and eavesdrop two traces

11 Cryptanalysis of the cipher

12 The Megamos Crypto Cipher
Secret key size = 96 bits Internal state size = x7 = 57 bits

13 Cryptanalysis of Megamos Crypto
Total attack complexity reduced from 296 to less than 256 encryptions Takes less than two days on a Copacobana‘05 This complexity can be further reduced by pre-computation: E.g., using a 12 Terabyte table reduces the complexity to 249 table lookups This has some practical limitations

14 Partial Key-update Attack
Observations: During our research, the majority of deployed tags we found were: Unlocked l0 = 0 (writable) Could be unlocked with a default PIN code The 96-bit secret key is written to the tag in blocks of 16 bits instead of being an atomic operation.

15 Partial Key-update Attack (simple)
0003 0001 0002 0000 E4F2 0001 0000 Block 1 18AC Block 2 FF52 Block 3 7B22 Block 4 Block 5 88C9 16 32 48 64 80 96 Get one authentication attempt from the car Guess 16 bits, write on one block then authenticate to the tag. If it succeeds you learn 16 key bits. This requires 6 x 216 writes and authenticate Takes 25’ per block ≈ 2.5 hours in total, using a Proxmark

16 Partial Key-update Attack (optimized)
0000 0003 E4F2 0000 Block 1 0000 18AC Block 2 FF52 Block 3 7B22 Block 4 Block 5 88C9 16 32 48 64 80 96 Same principle but only write zeros once in the first block Then increment the nonce and authenticate until the tag accepts key is added to nonce during initialisation Repeat for another two blocks then combine with the cryptanalytic attack searching for the remaining bits This attack requires 6 writes and 3 x 216 authentications with the tag and negligible computational complexity The whole attack takes <30 minutes using a Proxmark III

17 Immobilizer Demo

18 Weak key attack Some interesting keys we found k32 … k96 32 96 If the key starts with 32 zero bits then you can use a time-memory trade-off as in [Oechslin’03] Build (once) a 1.5 Terabyte rainbow table (less than one week to build) Computational complexity of 237 encryptions Few minutes computation on a laptop

19 Weak key attack Some even more interesting keys we found
These keys appear to have at most 32 bits of entropy An exhaustive search on such key takes only seconds

20 Mitigation and Alternatives
Car owners can set lock-bit l0 to one, set a random PIN. This prevents our partial key update attack. Set full entropy keys (locksmiths, dealers) Vehicle immobilizer tags based on AES HITAG Pro, NXP Semiconductors (2007) ATA5580, Atmel Corporation (2010) TRPWS21/TRPBS27, Texas Instruments (2010)

21 Atmel Open Immobiliser Protocol Stack
Atmel Corporation states in the datasheets: “Rather than developing its own proprietary cryptographic functions, Atmel selected and implemented the 128-bit AES-128 global benchmark standard as its data encryption and decryption source. This open source standard is freely available to the public for use and scrutiny. Because of this it continues to be favored by industry experts over private and proprietary crypto algorithms.“ Key Features No security by obscurity Use of 128-bits AES Car & key send challenge Open protocol design Open source examples Allows public evaluation

22 Responsible disclosure
We carefully followed the official guidelines from the Dutch Government [1] We notified the chip manufacturer in November 2012, nine months ahead of scheduled publication at Usenix’13. We invested many days to inform them properly conference call several letters and s personal meeting We understand that measures have been taken to prevent our weak-key and partial key-update attacks in newer vehicles [1]

23 Many thanks!

Download ppt "Flavio Garcia University of Birmingham"

Similar presentations

Toward Practical Public Key Anti- Counterfeiting for Low-Cost EPC Tags Alex Arbit, Avishai Wool, Yossi Oren, IEEE RFID April 2011 1.

Toward Practical Public Key Anti- Counterfeiting for Low-Cost EPC Tags Alex Arbit, Avishai Wool, Yossi Oren, IEEE RFID April
Gone in 360 Seconds: Hijacking with Hitag2

Gone in 360 Seconds: Hijacking with Hitag2
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.

1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.
White-Box Cryptography

White-Box Cryptography
Making “Good” Encryption Algorithms

Making “Good” Encryption Algorithms
Cryptanalysis on FPGA Based Hardware

Cryptanalysis on FPGA Based Hardware
Cryptography and Network Security Chapter 3

Cryptography and Network Security Chapter 3
Block Ciphers and the Data Encryption Standard

Block Ciphers and the Data Encryption Standard
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea 34901784 443099

Introduction to Cryptography and Security Mechanisms: Unit 5 Theoretical v Practical Security Dr Keith Martin McCrea
Cryptography and Network Security

Cryptography and Network Security
1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.

1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
AES clear a replacement for DES was needed

AES clear a replacement for DES was needed
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
#1 Privacy in pervasive computing What can technologists do? David Wagner U.C. Berkeley In collaboration with David Molnar, Andrea Soppera, Ari Juels.

#1 Privacy in pervasive computing What can technologists do? David Wagner U.C. Berkeley In collaboration with David Molnar, Andrea Soppera, Ari Juels.

Similar presentations

Ads by Google