cosic
play

COSIC Ashur, Benedikt Gierlichs and Bart Preneel an imec research - PowerPoint PPT Presentation

Nov 19, 2023 •405 likes •864 views

Fast, Furious and Insecure Lennert Wouters , Eduard Marin, Tomer COSIC Ashur, Benedikt Gierlichs and Bart Preneel an imec research group at KU Leuven Lennert Wouters , Eduard Marin, Tomer Ashur, Benedikt Gierlichs and Bart Preneel Passive

  1. Fast, Furious and Insecure Lennert Wouters , Eduard Marin, Tomer COSIC Ashur, Benedikt Gierlichs and Bart Preneel an imec research group at KU Leuven Lennert Wouters , Eduard Marin, Tomer Ashur, Benedikt Gierlichs and Bart Preneel

  2. Passive Keyless Entry and Start Challenge Response 2 COSIC

  3. The Tesla Model S key fob PCB front PCB back TI TMS37F128 (X-Ray) UHF antenna TMS37126 (transponder) 3D LF SPI MicRF112 antenna transmitter IC MSP430 (MCU) 3 COSIC

  4. TMS37F128 Source: http://www.ti.com/lit/ds/symlink/tms37f128.pdf 4 COSIC

  5. Getting started • Cannot order the IC’s from Farnell/ Digikey • Uncommon package (30 pin TSSOP – 0.5mm pitch) • Almost no public information on these chips (NDA) • The information that is available is inconsistent 5 COSIC

  6. Connecting to the TMS37126 SPI Slave Master 6 COSIC

  7. The Serial Peripheral Interface (SPI) 7 Source: http://www.ti.com/lit/an/spna147/spna147.pdf COSIC

  8. Uncovering undocumented SPI commands • SPI BUSY line indicates when the slave is ready for the next byte • The transponder indicates an error by pulling busy high or low for a long period • Observation 1: • Error if CMD value is incorrect • Observation 2: • If LEN is 0xFF and the CMD value is correct we get an error after the correct number of bytes (LEN) has been sent 8 COSIC

  9. Uncovering undocumented SPI commands Action LEN CMD WA DST40(C, K1) 0x06 0x84 NA DST_UNK(C, K1) 0x06 0x85 NA DST40(C, K2) 0x06 0x86 NA DST_UNK(C, K2) 0x06 0x87 NA Change K1 0x07 0x01 0x11 Change K2 0x07 0x01 0x12 9 COSIC

  10. Obtaining MSP430 firmware • Olimex MSP430-JTAG-TINY-V2 programmer • JTAG fuse wasn’t blown 10 COSIC

  11. MSP430 Static firmware analysis • Interrupt Vector Table (IVT) • References to Special Function Registers (SFR) • SPI transmit and receive buffers 11 More info: POC||GTFO 0x11: A TOURIST'S GUIDE TO MSP430 COSIC

  12. MSP430 Dynamic firmware analysis • MSPDebug + Olimex MSP430-JTAG-TINY-V2 • MSP430F1232 supports up to two breakpoints • Caveat: some debug pins are shared with IO and can trigger interrupts • Inspect interesting routines + dump RAM and register values • Retrieve bytes exchanged over SPI • The firmware is only using CMD 0x86 (DST40) during normal operation 12 COSIC

  13. Texas Instruments Digital Signature Transponder (DST) • DST40 • Introduced in 2000 • 40-bit key • Security Analysis of a Cryptographically-Enabled RFID Device (2005) • S Bono, M Green, A Stubblefield, A Juels, AD Rubin • Used for immobilizer by Ford, Lincoln, Mercury, Nissan and Toyota • Exxon- Mobil’s Speedpass payment system 13 COSIC

  14. DST40 Cipher Challenge register Key register Key schedule is executed every 3 rd round starting in the 2 nd 14 COSIC

  15. RF reverse engineering 15 COSIC

  16. Key fob RF operation • Two separate systems: • Remote Keyless Entry (RKE) • Actions are performed by pressing a button • One way communication • Passive Keyless Entry and Start (PKES) • The car is unlocked automatically if the key fob is in proximity of the vehicle • Two way communication 16 COSIC

  17. Remote Keyless Entry (RKE) • One way communication from key fob to the vehicle • Physical layer information: • Operating frequency: 433.92 MHz • Modulation: ASK • Symbol rate: 2600 symbols/S 17 COSIC

  18. Remote Keyless Entry • Both key fob and car store a 40-bit counter • Key fob increments counter and calculates new response 18 COSIC

  19. 19 COSIC

  20. Passive Keyless Entry and Start • Low Frequency (134.2 kHz) • From car to key fob • Ultra High Frequency (433.92 MHz) • From key fob to car 20 COSIC

  21. Low Frequency • Proxmark3 • Added DST transponder code for the AT91SAM microcontroller • Hardware modification to boost receiver range • Custom peak detect code for the FPGA 21 COSIC

  22. 23 COSIC

  23. Receiving LF signals 24 COSIC

  24. PKES Protocol analyzer Yard Stick One (UHF) Proxmark 3 (LF) 25 COSIC

  25. PKES protocol 26 COSIC

  26. A car only attack • Receive the 40-bit challenge • ~2 16 keys produce the correct response • Guess a key and transmit the response • After on average 2 23 guesses you will have a valid challenge response pair • Assuming 1 guess per second → 97 days • Can be automated 28 COSIC

  27. Proof of Concept 29 COSIC

  28. DST40 key recovery • 40-bit challenge is combined with a 40-bit key resulting in a 24-bit response • For each 40-bit challenge multiple keys produce the same response • Need two challenge response pairs to recover the key • Brute force using 16 FPGAs took 1 hour in 2005 30 COSIC

  29. DST40 key recovery • The key fob cannot verify the sender of a challenge • The key fob replies to any challenge it receives as long as the car ID is correct • Time-Memory Trade-Off Table • Simplified pseudocode: challenge = 0x636f736963 for key in range (0, 2 40 ): response = DST40(challenge, key) responseFile.append(key) • 2 24 files each containing ~2 16 40-bit keys 31 COSIC

  30. Cloning a key fob • Retrieve the 2-byte car ID (sniff or brute force) • Send challenge 0x636f736963 to the key fob • Use the response to select the correct TMTO file • Send a different challenge and record the response • Test the remaining ~2 16 keys for key in TMTO_File: resp = DST40(challenge2, key) if resp == response2: return key 32 COSIC

  31. Proof of Concept attack 33 COSIC

  32. Responsible disclosure 34 COSIC

  33. 35 COSIC

  34. Responsible disclosure • First notified Tesla on 31/08/2017 • Tesla vehicles produced from June 2018 onwards use a new key fob • OTA update includes a Pin to Drive feature and the ability to disable PKE 36 COSIC

  35. 38 Source: https://cars.mclaren.com/ownership/recalls-1 COSIC

  36. McLaren Automotive (1) “ We have been alerted to a potential new security risk that may affect McLaren as well as the products of several other luxury automotive brands. The “relay attack” that has previously been reported in the media suggested that a car key could be scanned if left within range of the vehicle and the car driven away . The car, however, cannot be restarted as the key was still with its owner.” 39 Source: https://cars.mclaren.com/ownership/recalls-1 COSIC

  37. McLaren Automotive (2) “A second potential method involves the vehicle being scanned by custom equipment left in close-proximity and decoded in ~100 days. A cloned key can be produced as above.” To reassure you, the method is currently considered as a low-risk by experts because the custom equipment required for such a breach, while feasible, requires skilled assembly and use .” 40 Source: https://cars.mclaren.com/ownership/recalls-1 COSIC

  38. McLaren Automotive (3) “ The equipment also needs to be in very close proximity to a key. To further reassure you, the vulnerability has not been proven to affect our vehicles and we know of no McLaren that has been compromised in such a way.” 41 Source: https://cars.mclaren.com/ownership/recalls-1 COSIC

  39. McLaren Automotive (4) “Nevertheless, we take the security of all McLaren vehicles extremely seriously.” – McLaren, 2018 Source: https://cars.mclaren.com/ownership/recalls-1 42 COSIC

  40. Conclusions • Don’t blindly rely on: • proprietary cryptography • secrecy of datasheets or parts that require an NDA • your suppliers, work with them • the secrecy of firmware (but do disable debug interfaces) • Don’t reuse keys • Lock It and Still Lose It - Flavio D. Garcia, David Oswald, Timo Kasper, Pierre Pavlidès • Breaking KeeLoq in a Flash - Markus Kasper, Timo Kasper, Amir Moradi, Christof Paar • If you design a product: familiarize yourself with existing security issues 43 COSIC

  41. Conclusions 44 COSIC

  42. Conclusions: stock price ? 45 COSIC

  43. 46 COSIC

  44. Questions? @LennertWo @CosicBe lennert.wouters@esat.kuleuven.be 47 an imec research group at COSIC

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

COSIC COSIC Korea University K.U. Leuven FSE 2007

COSIC COSIC Korea University K.U. Leuven FSE 2007

FSE 2007 in Luxembourg, 2007/Mar./26~28 Related-Key Rectangle Attacks on Reduced AES-192 and AES-256 Jointly worked with Seokhie Hong and Bart Preneel, Speaker: Jongsung Kim COSIC COSIC Korea University K.U. Leuven FSE 2007

874 views • 25 slides
COSIC A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 1 /

COSIC A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 1 /

A Framework for Cryptographic Problems from Linear Algebra Carl Bootland , Wouter Castryck, Alan Szepieniec and Frederik Vercauteren Dept. of Electrical Engineering, COSIC KU Leuven COSIC A Framework for Cryptographic Problems from Linear

731 views • 48 slides
Lightweight Cryptography and and RFID Security Svetla Nikova COSIC KUL COSIC, KULeuven and

Lightweight Cryptography and and RFID Security Svetla Nikova COSIC KUL COSIC, KULeuven and

Lightweight Cryptography and and RFID Security Svetla Nikova COSIC KUL COSIC, KULeuven and UTwente d UT t Overview Lightweight cryptography - state of the art Comparison Standard vs. Lightweight Comparison Standard vs. Lightweight

599 views • 39 slides
Introduction to Side-Channel Attacks Josep Balasch KU Leuven ESAT / COSIC 15th International

Introduction to Side-Channel Attacks Josep Balasch KU Leuven ESAT / COSIC 15th International

Introduction to Side-Channel Attacks Josep Balasch KU Leuven ESAT / COSIC 15th International COSIC Course Leuven, Belgium, 18 June 2015 Acknowledgements: Benedikt Gierlichs, Ingrid Verbauwhede, Patrick Schaumont, Kris Tiri, Bart Preneel,

920 views • 62 slides
Block cipher invariants as eigenvectors of correlation matrices Tim Beyne COSIC / ESAT, KULeuven

Block cipher invariants as eigenvectors of correlation matrices Tim Beyne COSIC / ESAT, KULeuven

Block cipher invariants as eigenvectors of correlation matrices Tim Beyne COSIC / ESAT, KULeuven December 3, 2018 COSIC Joan Daemen 2 Joan Daemen 2 Invariant subspaces and nonlinear invariants [Leander et al., 2011] x y E K K is a weak

614 views • 34 slides
Website Fingerprinting Attacks and Defenses in the Tor Onion Space Marc Juarez imec-COSIC KU

Website Fingerprinting Attacks and Defenses in the Tor Onion Space Marc Juarez imec-COSIC KU

Website Fingerprinting Attacks and Defenses in the Tor Onion Space Marc Juarez imec-COSIC KU Leuven COSIC Seminar - 23rd October 2017, Leuven Introduction Contents of this presentation: - PETS17: Website Fingerprinting Defenses at

658 views • 44 slides
Practical Collisions for EnRUPT Sebastiaan Indesteege Bart Preneel COSIC, ESAT, K.U. Leuven,

Practical Collisions for EnRUPT Sebastiaan Indesteege Bart Preneel COSIC, ESAT, K.U. Leuven,

Practical Collisions for EnRUPT Sebastiaan Indesteege Bart Preneel COSIC, ESAT, K.U. Leuven, Belgium Fast Software Encryption 2009 Sebastiaan Indesteege (COSIC) Practical Collisions for EnRUPT 1/27 Outline 1 Introduction 2 Description of

704 views • 69 slides
W e b s i t e F i n g e r p r i n tj n g Claudia Diaz KU Leuven COSIC (With thanks to Marc

W e b s i t e F i n g e r p r i n tj n g Claudia Diaz KU Leuven COSIC (With thanks to Marc

W e b s i t e F i n g e r p r i n tj n g Claudia Diaz KU Leuven COSIC (With thanks to Marc Juarez and Bekah Overdorf) Summer School on real-world crypto and privacy June 2017 Outline Website Fingerprintjng for htups sites Website

599 views • 48 slides
K.U.Leuven ESAT/SCD/COSIC Computer Security and Industrial Cryptography Danny De Cock

K.U.Leuven ESAT/SCD/COSIC Computer Security and Industrial Cryptography Danny De Cock

K.U.Leuven ESAT/SCD/COSIC Computer Security and Industrial Cryptography Danny De Cock Danny.DeCock@esat.kuleuven.be Katholieke Universiteit Leuven/Dept. Elektrotechniek (ESAT) Computer Security and Industrial Cryptography (COSIC) Kasteelpark

308 views • 16 slides
Cryptanalysis of the Legendre PRF and Generalizations W. Beullens 1 T. Beyne 1 A. Udovenko 2 G.

Cryptanalysis of the Legendre PRF and Generalizations W. Beullens 1 T. Beyne 1 A. Udovenko 2 G.

Cryptanalysis of the Legendre PRF and Generalizations W. Beullens 1 T. Beyne 1 A. Udovenko 2 G. Vitto 2 1 imec-COSIC, ESAT, KULeuven 2 SnT, University of Luxembourg November 13, 2020 COSIC Legendre symbol Early 1900s: equidistribution results

977 views • 30 slides
A Perspective on Cryptocurrencies BART PRENEEL IMEC-COSIC KU LEUVEN

A Perspective on Cryptocurrencies BART PRENEEL IMEC-COSIC KU LEUVEN

A Perspective on Cryptocurrencies BART PRENEEL IMEC-COSIC KU LEUVEN BART.PRENEEL(AT)ESAT.KULEUVEN.BE 4 SEPTEMBER 2017 1 Currencies = maintaining memory Envelope and contents from Susa, Iran, ca 3300 BCE Each lenticular disc stands

685 views • 55 slides
Page 1 Ingrid Verbauwhede, KU Leuven COSIC, ALBENA, July 2013 Outline Transistor CMOS

Page 1 Ingrid Verbauwhede, KU Leuven COSIC, ALBENA, July 2013 Outline Transistor CMOS

Goal Digital Circuits: Fundamental understanding of CMOS circuits why they leak, how to counter Ingrid Verbauwhede So as to build models Ingrid.verbauwhede-at-esat.kuleuven.be And understand short comings of models KU Leuven, COSIC

381 views • 15 slides
Pairings on Elliptic Curves II Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium ECC Summer

Pairings on Elliptic Curves II Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium ECC Summer

Choosing G 1 and G 2 Ate Pairing Optimal Pairing Pairings on Elliptic Curves II Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium ECC Summer School - 2011 Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic

289 views • 24 slides
Public key cryptography on IoT devices Sujoy Sinha Roy COSIC, KU Leuven 1 Small area for HW

Public key cryptography on IoT devices Sujoy Sinha Roy COSIC, KU Leuven 1 Small area for HW

Public key cryptography on IoT devices Sujoy Sinha Roy COSIC, KU Leuven 1 Small area for HW implementations Small code size for SW implementation Low power or energy or both Reasonably fast computation time 2 This talk

676 views • 43 slides
Trusted Platform Module Dries Schellekens COSIC, KU Leuven Nomenclature Trusted versus

Trusted Platform Module Dries Schellekens COSIC, KU Leuven Nomenclature Trusted versus

Trusted Platform Module Dries Schellekens COSIC, KU Leuven Nomenclature Trusted versus trustworthy RFC 4949 (Internet Security Glossary) Trust : A feeling of certainty (sometimes based on inconclusive evidence) either (a) that the system

788 views • 33 slides
Introduction to Power Analysis Benedikt Gierlichs Katholieke Universiteit Leuven COSIC

Introduction to Power Analysis Benedikt Gierlichs Katholieke Universiteit Leuven COSIC

Introduction to Power Analysis Benedikt Gierlichs Katholieke Universiteit Leuven COSIC benedikt.gierlichs@esat.kuleuven.be ECRYPT II Summer School Design and Security of Cryptographic Algorithms and Devices Albena, Bulgaria, 31 May 2011

452 views • 23 slides
Lecture 5: Antenna Diversity and MIMO Capacity Theoretical Foundations of Wireless Communications 1

Lecture 5: Antenna Diversity and MIMO Capacity Theoretical Foundations of Wireless Communications 1

Notes Lecture 5 Antenna Diversity, MIMO Capacity Lars Kildehj CommTh/EES/KTH Lecture 5: Antenna Diversity and MIMO Capacity Theoretical Foundations of Wireless Communications 1 Lars Kildehj CommTh/EES/KTH Wednesday, May 4, 2016

337 views • 9 slides
RADIO PROPAGATION MODELS 1 Radio Propagation Models 1 Path Loss Free Space Loss

RADIO PROPAGATION MODELS 1 Radio Propagation Models 1 Path Loss Free Space Loss

RADIO PROPAGATION MODELS 1 Radio Propagation Models 1 Path Loss Free Space Loss Ground Reflections Surface Waves Diffraction Channelization 2 Shadowing 3 Multipath Reception and Scattering Dispersion

763 views • 26 slides
AADL : a radar case study Back to radar case study Goal: to model a simple radar system

AADL : a radar case study Back to radar case study Goal: to model a simple radar system

AADL : a radar case study Back to radar case study Goal: to model a simple radar system Let us suppose we have the following requirements System implementation is composed by physical devices (Hardware entity): 1. antenna + processor +

589 views • 10 slides
Horizon antenna GRANDproto 3D antenna (CODALEMA butterfly Need to favor very inclined air

Horizon antenna GRANDproto 3D antenna (CODALEMA butterfly Need to favor very inclined air

Start point: Horizon antenna GRANDproto 3D antenna (CODALEMA butterfly Need to favor very inclined air showers (near 90) detection antenna designed by Take advantage of ground reflections D. Charrier) Benchmark antenna or Size S

627 views • 18 slides
Impact of Regulations on Cabin Systems Installations John

Impact of Regulations on Cabin Systems Installations John

Impact of Regulations on Cabin Systems Installations John Courtright, Structural Integrity Engineering APEX TC Meeting22-23 February 2011Huntington Beach, CA USA 1 1 Agenda Points

447 views • 19 slides
Internet on the Edge Andrew Mundy Engineering Laboratory Systems Administration (ELSA)

Internet on the Edge Andrew Mundy Engineering Laboratory Systems Administration (ELSA)

Internet on the Edge Andrew Mundy Engineering Laboratory Systems Administration (ELSA) Engineering Laboratory, National Institute of Standards and Technology (NIST) You are here Your customer is over there (no, not the deer) Distance between

552 views • 33 slides
Farthest-polygon Voronoi diagrams Otfried Cheong, Hazel Everett, Marc Glisse, Joachim

Farthest-polygon Voronoi diagrams Otfried Cheong, Hazel Everett, Marc Glisse, Joachim

Farthest-polygon Voronoi diagrams Otfried Cheong, Hazel Everett, Marc Glisse, Joachim Gudmundsson, Samuel Hornus, Sylvain Lazard, Mira Lee and Hyeon-Suk Na ESA October 2007 KAIST, INRIA, NICTA, Soongsil U. Voronoi diagrams Given some sites

655 views • 33 slides
Satellite based Technologies for Regional/ National/ Local dissem ination of Alerts An efficient

Satellite based Technologies for Regional/ National/ Local dissem ination of Alerts An efficient

Satellite based Technologies for Regional/ National/ Local dissem ination of Alerts An efficient tool for Adm inistrations to W orldSpace uses its Digital Technology reach Ctizens Alm ost Anyw here - for the delivery of Multim edia content

319 views • 17 slides

More recommend