gone in 360 seconds: hijacking with hitag2. preamble electronic vehicle immobilizer - anti-theft...
TRANSCRIPT
![Page 1: Gone in 360 Seconds: Hijacking with Hitag2. PREAMBLE Electronic vehicle immobilizer - anti-theft device. Prevents the engine of the vehicle from starting](https://reader035.vdocuments.site/reader035/viewer/2022062404/5519def0550346443e8b4f1a/html5/thumbnails/1.jpg)
Gone in 360 Seconds:
Hijacking with Hitag2
![Page 2: Gone in 360 Seconds: Hijacking with Hitag2. PREAMBLE Electronic vehicle immobilizer - anti-theft device. Prevents the engine of the vehicle from starting](https://reader035.vdocuments.site/reader035/viewer/2022062404/5519def0550346443e8b4f1a/html5/thumbnails/2.jpg)
PREAMBLE Electronic vehicle immobilizer - anti-theft device.
Prevents the engine of the vehicle from starting unless the corresponding transponder is present.
Passive RFID tag embedded in the car key
Hitag2
Proprietary stream cipher
48-bit keys for authentication and confidentiality.
![Page 3: Gone in 360 Seconds: Hijacking with Hitag2. PREAMBLE Electronic vehicle immobilizer - anti-theft device. Prevents the engine of the vehicle from starting](https://reader035.vdocuments.site/reader035/viewer/2022062404/5519def0550346443e8b4f1a/html5/thumbnails/3.jpg)
Vulnerabilities
Lack of a pseudorandom number generator - renders system susceptible to replay attacks
Recovery of keystream possible
One in four authentication attempts leaks one bit of information about the secret key
16 bits of information over the secret key are persistent throughout different sessions.
![Page 4: Gone in 360 Seconds: Hijacking with Hitag2. PREAMBLE Electronic vehicle immobilizer - anti-theft device. Prevents the engine of the vehicle from starting](https://reader035.vdocuments.site/reader035/viewer/2022062404/5519def0550346443e8b4f1a/html5/thumbnails/4.jpg)
Hardware Setup
![Page 5: Gone in 360 Seconds: Hijacking with Hitag2. PREAMBLE Electronic vehicle immobilizer - anti-theft device. Prevents the engine of the vehicle from starting](https://reader035.vdocuments.site/reader035/viewer/2022062404/5519def0550346443e8b4f1a/html5/thumbnails/5.jpg)
Proxmark III board
FPGA - Low-level RF operations such as modulation/demodulation
Microcontroller - high-level operations like encoding/decoding of frames
BPLM – encodes communication from reader to transponder
Support for Manchester or Biphase - eavesdrop, generate, and read communications from reader to transponder
![Page 6: Gone in 360 Seconds: Hijacking with Hitag2. PREAMBLE Electronic vehicle immobilizer - anti-theft device. Prevents the engine of the vehicle from starting](https://reader035.vdocuments.site/reader035/viewer/2022062404/5519def0550346443e8b4f1a/html5/thumbnails/6.jpg)
Functionality
Public mode – contents of the user data pages are simply broadcast by the transponder
Password mode – reader and transponder password authentication. Replay attack possible.
Crypto mode – mutual authenticationof reader and transponder by means of a 48-bit shared key, encrypted using a proprietary stream cipher.
![Page 7: Gone in 360 Seconds: Hijacking with Hitag2. PREAMBLE Electronic vehicle immobilizer - anti-theft device. Prevents the engine of the vehicle from starting](https://reader035.vdocuments.site/reader035/viewer/2022062404/5519def0550346443e8b4f1a/html5/thumbnails/7.jpg)
MEMORY
256 bits of non- volatile memory (EEPROM)
Organized in 8 blocks of 4 bytes each.
In crypto mode –
![Page 8: Gone in 360 Seconds: Hijacking with Hitag2. PREAMBLE Electronic vehicle immobilizer - anti-theft device. Prevents the engine of the vehicle from starting](https://reader035.vdocuments.site/reader035/viewer/2022062404/5519def0550346443e8b4f1a/html5/thumbnails/8.jpg)
Communication
Master-slave principle
Reader sends a command to the transponder
Transponder responds after a predefined period of time
There are five different commands:
authenticate, read, read, write, halt.
![Page 9: Gone in 360 Seconds: Hijacking with Hitag2. PREAMBLE Electronic vehicle immobilizer - anti-theft device. Prevents the engine of the vehicle from starting](https://reader035.vdocuments.site/reader035/viewer/2022062404/5519def0550346443e8b4f1a/html5/thumbnails/9.jpg)
![Page 10: Gone in 360 Seconds: Hijacking with Hitag2. PREAMBLE Electronic vehicle immobilizer - anti-theft device. Prevents the engine of the vehicle from starting](https://reader035.vdocuments.site/reader035/viewer/2022062404/5519def0550346443e8b4f1a/html5/thumbnails/10.jpg)
Cipher
48-bit linear feedback shift register (LFSR)
Non-linear filter function f .
Twenty bits of the LFSR generate one bit of keystream.
LFSR shifts one bit to the left
Uses the generating polynomial to generate a new bit on the right.
![Page 11: Gone in 360 Seconds: Hijacking with Hitag2. PREAMBLE Electronic vehicle immobilizer - anti-theft device. Prevents the engine of the vehicle from starting](https://reader035.vdocuments.site/reader035/viewer/2022062404/5519def0550346443e8b4f1a/html5/thumbnails/11.jpg)
Authentication protocol
![Page 12: Gone in 360 Seconds: Hijacking with Hitag2. PREAMBLE Electronic vehicle immobilizer - anti-theft device. Prevents the engine of the vehicle from starting](https://reader035.vdocuments.site/reader035/viewer/2022062404/5519def0550346443e8b4f1a/html5/thumbnails/12.jpg)
Hitag2 weaknesses
Arbitrary length keystream oracle – Since there is no challenge from the transponder it is possible to replay any valid {nR}{aR} pair to the transponder to achieve a successful authentication.
Dependencies between sessions – LFSR bits 0 to 15 remain constant throughout different session which gives a strong dependency between them.
Low degree determination of the filter function - with probability 1/4 the fil- ter function f is determined by the 34-leftmost bits of the internal state.
![Page 13: Gone in 360 Seconds: Hijacking with Hitag2. PREAMBLE Electronic vehicle immobilizer - anti-theft device. Prevents the engine of the vehicle from starting](https://reader035.vdocuments.site/reader035/viewer/2022062404/5519def0550346443e8b4f1a/html5/thumbnails/13.jpg)
ATTACKS
Malleability attack – adversary first acquires keystream.
Then uses it to read or write any block on the card
Time/memory tradeoff attack – hinges on the fact that the linear difference between a state s and its n-th successor is a combination of the linear differences generated by each bit.
Cryptanalytic attack - an attacker can recover the secret key after gathering a few authentication attempts from a car.
![Page 14: Gone in 360 Seconds: Hijacking with Hitag2. PREAMBLE Electronic vehicle immobilizer - anti-theft device. Prevents the engine of the vehicle from starting](https://reader035.vdocuments.site/reader035/viewer/2022062404/5519def0550346443e8b4f1a/html5/thumbnails/14.jpg)
Starting a car
In the dashboard of the car there is a slot to insert the remote and a button to start the engine.
When a piece of plastic of suitable size is inserted in this slot the car repeatedly attempts to authenticate the transponder
As soon as the car receives a valid identifier, the dashboard lights up and the LCD screen pops-up
![Page 15: Gone in 360 Seconds: Hijacking with Hitag2. PREAMBLE Electronic vehicle immobilizer - anti-theft device. Prevents the engine of the vehicle from starting](https://reader035.vdocuments.site/reader035/viewer/2022062404/5519def0550346443e8b4f1a/html5/thumbnails/15.jpg)
![Page 16: Gone in 360 Seconds: Hijacking with Hitag2. PREAMBLE Electronic vehicle immobilizer - anti-theft device. Prevents the engine of the vehicle from starting](https://reader035.vdocuments.site/reader035/viewer/2022062404/5519def0550346443e8b4f1a/html5/thumbnails/16.jpg)
Implementation weakness
Weak random number generators – most PRNGs use the time as a seed.
The time intervals do not have enough precision.
Multiple authentication attempts within a time frame of one second get the same random number.
More than one car may have a PRNG with dangerously low entropy
![Page 17: Gone in 360 Seconds: Hijacking with Hitag2. PREAMBLE Electronic vehicle immobilizer - anti-theft device. Prevents the engine of the vehicle from starting](https://reader035.vdocuments.site/reader035/viewer/2022062404/5519def0550346443e8b4f1a/html5/thumbnails/17.jpg)
Implementation weakness
Low entropy keys – some cars have repetitive patterns in their keys
Vulnerable to dictionary attacks
Readable keys - remote keyless entry system with wider range are vulnerable to wireless attacks
A transponder which is wirelessly accessible over a distance of several meters and a non protected readable key
![Page 18: Gone in 360 Seconds: Hijacking with Hitag2. PREAMBLE Electronic vehicle immobilizer - anti-theft device. Prevents the engine of the vehicle from starting](https://reader035.vdocuments.site/reader035/viewer/2022062404/5519def0550346443e8b4f1a/html5/thumbnails/18.jpg)
Implementation weakness
Predictable transponder passwords - use of default or predictable passwords as transponder keys, or cryptosystem may get broken
Identifier pickpocketing – use of a low-frequency (LF) interface to wirelessly pickpocket the identifier from the victim’s key.
Use of wide range ultra-high frequency (UHF) interface to eavesdrop the transmission of a hybrid transponder when the victim presses a button on the remote
![Page 19: Gone in 360 Seconds: Hijacking with Hitag2. PREAMBLE Electronic vehicle immobilizer - anti-theft device. Prevents the engine of the vehicle from starting](https://reader035.vdocuments.site/reader035/viewer/2022062404/5519def0550346443e8b4f1a/html5/thumbnails/19.jpg)
Mitigation
Automotive industry to migrate from weak proprietary ciphers to ones like AES
Extend the transponder password
Delay authentication after failure
Improve the pseudo-random number generator where it’s used to generate nonces
![Page 20: Gone in 360 Seconds: Hijacking with Hitag2. PREAMBLE Electronic vehicle immobilizer - anti-theft device. Prevents the engine of the vehicle from starting](https://reader035.vdocuments.site/reader035/viewer/2022062404/5519def0550346443e8b4f1a/html5/thumbnails/20.jpg)
QUESTIONS!