[PPT] - COSIC Ashur, Benedikt Gierlichs and Bart Preneel an imec research PowerPoint Presentation

SLIDE 1

Fast, Furious and Insecure

Lennert Wouters, Eduard Marin, Tomer Ashur, Benedikt Gierlichs and Bart Preneel Lennert Wouters, Eduard Marin, Tomer Ashur, Benedikt Gierlichs and Bart Preneel

COSIC

an imec research group at KU Leuven

SLIDE 2

COSIC

2

Passive Keyless Entry and Start

Response Challenge

SLIDE 3

COSIC

3

The Tesla Model S key fob

TI TMS37F128 (X-Ray) MSP430 (MCU) TMS37126 (transponder) SPI PCB front PCB back UHF antenna 3D LF antenna MicRF112 transmitter IC

SLIDE 4

COSIC

4

TMS37F128

Source: http://www.ti.com/lit/ds/symlink/tms37f128.pdf

SLIDE 5

COSIC

Cannot order the IC’s from Farnell/Digikey
Uncommon package (30 pin TSSOP – 0.5mm pitch)
Almost no public information on these chips (NDA)
The information that is available is inconsistent

5

Getting started

SLIDE 6

COSIC

Slave Master

SPI

6

Connecting to the TMS37126

SLIDE 7

COSIC

7

The Serial Peripheral Interface (SPI)

Source: http://www.ti.com/lit/an/spna147/spna147.pdf

SLIDE 8

COSIC

SPI BUSY line indicates when the slave is ready for the next byte
The transponder indicates an error by pulling busy high or low for a long

period

Observation 1:
Error if CMD value is incorrect
Observation 2:
If LEN is 0xFF and the CMD value is correct we get an error after the

correct number of bytes (LEN) has been sent

8

Uncovering undocumented SPI commands

SLIDE 9

COSIC

Action LEN CMD WA DST40(C, K1) 0x06 0x84 NA DST_UNK(C, K1) 0x06 0x85 NA DST40(C, K2) 0x06 0x86 NA DST_UNK(C, K2) 0x06 0x87 NA Change K1 0x07 0x01 0x11 Change K2 0x07 0x01 0x12

9

Uncovering undocumented SPI commands

SLIDE 10

COSIC

Olimex MSP430-JTAG-TINY-V2 programmer
JTAG fuse wasn’t blown

10

Obtaining MSP430 firmware

SLIDE 11

COSIC

Interrupt Vector Table (IVT)
References to Special Function Registers (SFR)
SPI transmit and receive buffers

11

MSP430 Static firmware analysis

More info: POC||GTFO 0x11: A TOURIST'S GUIDE TO MSP430

SLIDE 12

COSIC

MSPDebug + Olimex MSP430-JTAG-TINY-V2
MSP430F1232 supports up to two breakpoints
Caveat: some debug pins are shared with IO and can trigger interrupts
Inspect interesting routines + dump RAM and register values
Retrieve bytes exchanged over SPI
The firmware is only using CMD 0x86 (DST40) during normal operation

12

MSP430 Dynamic firmware analysis

SLIDE 13

COSIC

DST40
Introduced in 2000
40-bit key
Security Analysis of a Cryptographically-Enabled RFID Device (2005)
S Bono, M Green, A Stubblefield, A Juels, AD Rubin
Used for immobilizer by Ford, Lincoln, Mercury, Nissan and Toyota
Exxon-Mobil’s Speedpass payment system

13

Texas Instruments Digital Signature Transponder (DST)

SLIDE 14

COSIC

14

DST40 Cipher

Key schedule is executed every 3rd round starting in the 2nd Challenge register Key register

SLIDE 15

COSIC

RF reverse engineering

15

SLIDE 16

COSIC

Two separate systems:
Remote Keyless Entry (RKE)
Actions are performed by pressing a button
One way communication
Passive Keyless Entry and Start (PKES)
The car is unlocked automatically if the key fob is in proximity of the vehicle
Two way communication

16

Key fob RF operation

SLIDE 17

COSIC

One way communication from key fob to the vehicle
Physical layer information:
Operating frequency: 433.92 MHz
Modulation: ASK
Symbol rate: 2600 symbols/S

17

Remote Keyless Entry (RKE)

SLIDE 18

COSIC

Both key fob and car store a 40-bit counter
Key fob increments counter and calculates new response

18

Remote Keyless Entry

SLIDE 19

COSIC

19

SLIDE 20

COSIC

Low Frequency (134.2 kHz)
From car to key fob
Ultra High Frequency (433.92 MHz)
From key fob to car

20

Passive Keyless Entry and Start

SLIDE 21

COSIC

Proxmark3
Added DST transponder code for the AT91SAM microcontroller
Hardware modification to boost receiver range
Custom peak detect code for the FPGA

21

Low Frequency

SLIDE 22

COSIC

23

SLIDE 23

COSIC

24

Receiving LF signals

SLIDE 24

COSIC

25

PKES Protocol analyzer

Yard Stick One (UHF) Proxmark 3 (LF)

SLIDE 25

COSIC

26

PKES protocol

SLIDE 26

COSIC

Receive the 40-bit challenge
~216 keys produce the correct response
Guess a key and transmit the response
After on average 223 guesses you will have a valid

challenge response pair

Assuming 1 guess per second → 97 days
Can be automated

28

A car only attack

SLIDE 27

COSIC

Proof of Concept

29

SLIDE 28

COSIC

40-bit challenge is combined with a 40-bit key resulting in a 24-bit response
For each 40-bit challenge multiple keys produce the same response
Need two challenge response pairs to recover the key
Brute force using 16 FPGAs took 1 hour in 2005

30

DST40 key recovery

SLIDE 29

COSIC

The key fob cannot verify the sender of a challenge
The key fob replies to any challenge it receives

as long as the car ID is correct

Time-Memory Trade-Off Table
Simplified pseudocode:
224 files each containing ~216 40-bit keys

31

DST40 key recovery

challenge = 0x636f736963 for key in range (0, 240): response = DST40(challenge, key) responseFile.append(key)

SLIDE 30

COSIC

Retrieve the 2-byte car ID (sniff or brute force)
Send challenge 0x636f736963 to the key fob
Use the response to select the correct TMTO file
Send a different challenge and record the response
Test the remaining ~216 keys

32

Cloning a key fob

for key in TMTO_File: resp = DST40(challenge2, key) if resp == response2: return key

SLIDE 31

COSIC

33

Proof of Concept attack

SLIDE 32

COSIC

Responsible disclosure

34

SLIDE 33

COSIC

35

SLIDE 34

COSIC

First notified Tesla on 31/08/2017
Tesla vehicles produced from June 2018 onwards use a new key fob
OTA update includes a Pin to Drive feature and the ability to disable PKE

36

Responsible disclosure

SLIDE 35

COSIC

38 Source: https://cars.mclaren.com/ownership/recalls-1

SLIDE 36

COSIC

“We have been alerted to a potential new security risk that may affect McLaren as well as the products of several other luxury automotive brands. The “relay attack” that has previously been reported in the media suggested that a car key could be scanned if left within range of the vehicle and the car driven

away. The car, however, cannot be restarted as the key was still with its owner.”

39

McLaren Automotive (1)

Source: https://cars.mclaren.com/ownership/recalls-1

SLIDE 37

COSIC

“A second potential method involves the vehicle being scanned by custom equipment left in close-proximity and decoded in ~100 days. A cloned key can be produced as above.” To reassure you, the method is currently considered as a low-risk by experts because the custom equipment required for such a breach, while feasible, requires skilled assembly and use.”

40

McLaren Automotive (2)

Source: https://cars.mclaren.com/ownership/recalls-1

SLIDE 38

COSIC

“The equipment also needs to be in very close proximity to a key. To further reassure you, the vulnerability has not been proven to affect our vehicles and we know of no McLaren that has been compromised in such a way.”

41

McLaren Automotive (3)

Source: https://cars.mclaren.com/ownership/recalls-1

SLIDE 39

COSIC

“Nevertheless, we take the security of all McLaren vehicles extremely seriously.” – McLaren, 2018

42

McLaren Automotive (4)

Source: https://cars.mclaren.com/ownership/recalls-1

SLIDE 40

COSIC

Don’t blindly rely on:
proprietary cryptography
secrecy of datasheets or parts that require an NDA
your suppliers, work with them
the secrecy of firmware (but do disable debug interfaces)
Don’t reuse keys
Lock It and Still Lose It - Flavio D. Garcia, David Oswald, Timo Kasper, Pierre Pavlidès
Breaking KeeLoq in a Flash - Markus Kasper, Timo Kasper, Amir Moradi, Christof Paar
If you design a product: familiarize yourself with existing security issues

43

Conclusions

SLIDE 41

COSIC

44

Conclusions

SLIDE 42

COSIC

45

Conclusions: stock price

?

SLIDE 43

COSIC

46

SLIDE 44

COSIC

an imec research group at

Questions?

47

@LennertWo @CosicBe lennert.wouters@esat.kuleuven.be