cosic
play

COSIC Ashur, Benedikt Gierlichs and Bart Preneel an imec research - PowerPoint PPT Presentation

Dec 26, 2022 •279 likes •659 views

Fast, Furious and Insecure Lennert Wouters , Eduard Marin, Tomer COSIC Ashur, Benedikt Gierlichs and Bart Preneel an imec research group at KU Leuven Lennert Wouters , Eduard Marin, Tomer Ashur, Benedikt Gierlichs and Bart Preneel Passive

  1. Fast, Furious and Insecure Lennert Wouters , Eduard Marin, Tomer COSIC Ashur, Benedikt Gierlichs and Bart Preneel an imec research group at KU Leuven Lennert Wouters , Eduard Marin, Tomer Ashur, Benedikt Gierlichs and Bart Preneel

  2. Passive Keyless Entry and Start Challenge Response 2 COSIC

  3. The Tesla Model S key fob PCB front PCB back TI TMS37F128 (X-Ray) UHF antenna TMS37126 (transponder) 3D LF SPI MicRF112 antenna transmitter IC MSP430 (MCU) 3 COSIC

  4. Getting started • Cannot order the IC’s from Farnell/ Digikey • Uncommon package (30 pin TSSOP – 0.5mm pitch) • Almost no public information on these chips (NDA) • The information that is available is inconsistent 4 COSIC

  5. Connecting to the TMS37126 SPI Slave Master 5 COSIC

  6. The Serial Peripheral Interface (SPI) 6 Source: http://www.ti.com/lit/an/spna147/spna147.pdf COSIC

  7. Uncovering undocumented SPI commands • SPI BUSY line indicates when the slave is ready for the next byte • The transponder indicates an error by pulling busy high or low for a long period • Observation 1: • Error if CMD value is incorrect • Observation 2: • If LEN is 0xFF and the CMD value is correct we get an error after the correct number of bytes (LEN) has been sent 7 COSIC

  8. Uncovering undocumented SPI commands Action LEN CMD WA DST40(C, K1) 0x06 0x84 NA DST_UNK(C, K1) 0x06 0x85 NA DST40(C, K2) 0x06 0x86 NA DST_UNK(C, K2) 0x06 0x87 NA Change K1 0x07 0x01 0x11 Change K2 0x07 0x01 0x12 8 COSIC

  9. Obtaining MSP430 firmware • Olimex MSP430-JTAG-TINY-V2 programmer • JTAG fuse wasn’t blown 9 COSIC

  10. MSP430 Static firmware analysis • Interrupt Vector Table (IVT) • References to Special Function Registers (SFR) • SPI transmit and receive buffers 10 More info: POC||GTFO 0x11: A TOURIST'S GUIDE TO MSP430 COSIC

  11. MSP430 Dynamic firmware analysis • MSPDebug + Olimex MSP430-JTAG-TINY-V2 • MSP430F1232 supports up to two breakpoints • Caveat: some debug pins are shared with IO and can trigger interrupts • Inspect interesting routines + dump RAM and register values • Retrieve bytes exchanged over SPI • The firmware is only using CMD 0x86 (DST40) during normal operation 11 COSIC

  12. Texas Instruments Digital Signature Transponder (DST) • DST40 • Introduced in 2000 • 40-bit key • Security Analysis of a Cryptographically-Enabled RFID Device (2005) • S Bono, M Green, A Stubblefield, A Juels, AD Rubin • Used for immobilizer by Ford, Lincoln, Mercury, Nissan and Toyota • Exxon- Mobil’s Speedpass payment system 12 COSIC

  13. DST40 Cipher Challenge register Key register Key schedule is executed every 3 rd round starting in the 2 nd 13 COSIC

  14. RF reverse engineering 14 COSIC

  15. Key fob RF operation • Two separate systems: • Remote Keyless Entry (RKE) • Actions are performed by pressing a button • One way communication • Passive Keyless Entry and Start (PKES) • The car is unlocked automatically if the key fob is in proximity of the vehicle • Two way communication 15 COSIC

  16. Passive Keyless Entry and Start • Ultra High Frequency (433.92 MHz) • From key fob to car • Easy to receive using widely available tools • SDR or Yard Stick One (CC1111) • Low Frequency (134.2 kHz) • From car to key fob • More challenging to receive 16 COSIC

  17. Low Frequency • Proxmark3 • Added DST transponder code for the AT91SAM microcontroller • Hardware modification to boost receiver range • Custom peak detect code for the FPGA 17 COSIC

  18. 18 COSIC

  19. Receiving LF signals 19 COSIC

  20. PKES Protocol analyzer Yard Stick One (UHF) Proxmark 3 (LF) 20 COSIC

  21. PKES protocol 21 COSIC

  22. A car only attack • Receive the 40-bit challenge • ~2 16 keys produce the correct response • Guess a key and transmit the response • After on average 2 23 guesses you will have a valid challenge response pair • Assuming 1 guess per second → 97 days • Can be automated 22 COSIC

  23. Proof of Concept 23 COSIC

  24. DST40 key recovery • 40-bit challenge is combined with a 40-bit key resulting in a 24-bit response • For each 40-bit challenge multiple keys produce the same response • Need two challenge response pairs to recover the key 24 COSIC

  25. DST40 key recovery • The key fob cannot verify the sender of a challenge • The key fob replies to any challenge it receives as long as the car ID is correct • Time-Memory Trade-Off Table • Simplified pseudocode: challenge = 0x636f736963 for key in range (0, 2 40 ): response = DST40(challenge, key) responseFile.append(key) • 2 24 files each containing ~2 16 40-bit keys 25 COSIC

  26. Cloning a key fob • Retrieve the 2-byte car ID (sniff or brute force) • Send challenge 0x636f736963 to the key fob • Use the response to select the correct TMTO file • Send a different challenge and record the response • Test the remaining ~2 16 keys for key in TMTO_File: resp = DST40(challenge2, key) if resp == response2: return key 26 COSIC

  27. Proof of Concept attack 27 COSIC

  28. Responsible disclosure 28 COSIC

  29. 29 COSIC

  30. Responsible disclosure • First notified Tesla on 31/08/2017 • Tesla vehicles produced from June 2018 onwards use a new key fob • OTA update includes a Pin to Drive feature and the ability to disable PKE 30 COSIC

  31. Conclusions (yes, this is 2019) • Some manufacturers and chip vendors still rely on: • proprietary cryptography • NDAs and secrecy of datasheets • (See also Helena Handschuh’s talk) • tier 1 or tier 2 suppliers to get security right • secrecy of firmware 31 COSIC

  32. Conclusions 32 COSIC

  33. Demo video: https://www.youtube.com/watch?v=aVlYuPzmJoY 33 COSIC

  34. Oops!... I did it again. 34 an imec research group at COSIC

  35. The new key fob • Hardware looks identical, JTAG is locked and the key fob is using DST80 • Trick the key fob into computing DST40 using only half of the 80-bit key! • Allows to recover the DST80 key with twice the amount of resources • 2 x 5,4TB and 2 x 2s • The attack requires close range to the fob, making it more difficult to execute • Cars being produced today are already using a new (new) key fob • Tesla has already begun to roll out a software update to applicable customers! 35 COSIC

  36. 36 Picture source: TrevP, https://teslaownersonline.com/threads/software-update-2019-32.13901/ COSIC

  37. Questions? @LennertWo @CosicBe lennert.wouters@esat.kuleuven.be 37 an imec research group at COSIC

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

COSIC COSIC Korea University K.U. Leuven FSE 2007

COSIC COSIC Korea University K.U. Leuven FSE 2007

FSE 2007 in Luxembourg, 2007/Mar./26~28 Related-Key Rectangle Attacks on Reduced AES-192 and AES-256 Jointly worked with Seokhie Hong and Bart Preneel, Speaker: Jongsung Kim COSIC COSIC Korea University K.U. Leuven FSE 2007

874 views • 25 slides
COSIC A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 1 /

COSIC A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 1 /

A Framework for Cryptographic Problems from Linear Algebra Carl Bootland , Wouter Castryck, Alan Szepieniec and Frederik Vercauteren Dept. of Electrical Engineering, COSIC KU Leuven COSIC A Framework for Cryptographic Problems from Linear

731 views • 48 slides
Lightweight Cryptography and and RFID Security Svetla Nikova COSIC KUL COSIC, KULeuven and

Lightweight Cryptography and and RFID Security Svetla Nikova COSIC KUL COSIC, KULeuven and

Lightweight Cryptography and and RFID Security Svetla Nikova COSIC KUL COSIC, KULeuven and UTwente d UT t Overview Lightweight cryptography - state of the art Comparison Standard vs. Lightweight Comparison Standard vs. Lightweight

599 views • 39 slides
Introduction to Side-Channel Attacks Josep Balasch KU Leuven ESAT / COSIC 15th International

Introduction to Side-Channel Attacks Josep Balasch KU Leuven ESAT / COSIC 15th International

Introduction to Side-Channel Attacks Josep Balasch KU Leuven ESAT / COSIC 15th International COSIC Course Leuven, Belgium, 18 June 2015 Acknowledgements: Benedikt Gierlichs, Ingrid Verbauwhede, Patrick Schaumont, Kris Tiri, Bart Preneel,

920 views • 62 slides
Block cipher invariants as eigenvectors of correlation matrices Tim Beyne COSIC / ESAT, KULeuven

Block cipher invariants as eigenvectors of correlation matrices Tim Beyne COSIC / ESAT, KULeuven

Block cipher invariants as eigenvectors of correlation matrices Tim Beyne COSIC / ESAT, KULeuven December 3, 2018 COSIC Joan Daemen 2 Joan Daemen 2 Invariant subspaces and nonlinear invariants [Leander et al., 2011] x y E K K is a weak

614 views • 34 slides
Website Fingerprinting Attacks and Defenses in the Tor Onion Space Marc Juarez imec-COSIC KU

Website Fingerprinting Attacks and Defenses in the Tor Onion Space Marc Juarez imec-COSIC KU

Website Fingerprinting Attacks and Defenses in the Tor Onion Space Marc Juarez imec-COSIC KU Leuven COSIC Seminar - 23rd October 2017, Leuven Introduction Contents of this presentation: - PETS17: Website Fingerprinting Defenses at

658 views • 44 slides
Practical Collisions for EnRUPT Sebastiaan Indesteege Bart Preneel COSIC, ESAT, K.U. Leuven,

Practical Collisions for EnRUPT Sebastiaan Indesteege Bart Preneel COSIC, ESAT, K.U. Leuven,

Practical Collisions for EnRUPT Sebastiaan Indesteege Bart Preneel COSIC, ESAT, K.U. Leuven, Belgium Fast Software Encryption 2009 Sebastiaan Indesteege (COSIC) Practical Collisions for EnRUPT 1/27 Outline 1 Introduction 2 Description of

704 views • 69 slides
W e b s i t e F i n g e r p r i n tj n g Claudia Diaz KU Leuven COSIC (With thanks to Marc

W e b s i t e F i n g e r p r i n tj n g Claudia Diaz KU Leuven COSIC (With thanks to Marc

W e b s i t e F i n g e r p r i n tj n g Claudia Diaz KU Leuven COSIC (With thanks to Marc Juarez and Bekah Overdorf) Summer School on real-world crypto and privacy June 2017 Outline Website Fingerprintjng for htups sites Website

599 views • 48 slides
K.U.Leuven ESAT/SCD/COSIC Computer Security and Industrial Cryptography Danny De Cock

K.U.Leuven ESAT/SCD/COSIC Computer Security and Industrial Cryptography Danny De Cock

K.U.Leuven ESAT/SCD/COSIC Computer Security and Industrial Cryptography Danny De Cock Danny.DeCock@esat.kuleuven.be Katholieke Universiteit Leuven/Dept. Elektrotechniek (ESAT) Computer Security and Industrial Cryptography (COSIC) Kasteelpark

308 views • 16 slides
Cryptanalysis of the Legendre PRF and Generalizations W. Beullens 1 T. Beyne 1 A. Udovenko 2 G.

Cryptanalysis of the Legendre PRF and Generalizations W. Beullens 1 T. Beyne 1 A. Udovenko 2 G.

Cryptanalysis of the Legendre PRF and Generalizations W. Beullens 1 T. Beyne 1 A. Udovenko 2 G. Vitto 2 1 imec-COSIC, ESAT, KULeuven 2 SnT, University of Luxembourg November 13, 2020 COSIC Legendre symbol Early 1900s: equidistribution results

977 views • 30 slides
A Perspective on Cryptocurrencies BART PRENEEL IMEC-COSIC KU LEUVEN

A Perspective on Cryptocurrencies BART PRENEEL IMEC-COSIC KU LEUVEN

A Perspective on Cryptocurrencies BART PRENEEL IMEC-COSIC KU LEUVEN BART.PRENEEL(AT)ESAT.KULEUVEN.BE 4 SEPTEMBER 2017 1 Currencies = maintaining memory Envelope and contents from Susa, Iran, ca 3300 BCE Each lenticular disc stands

685 views • 55 slides
Page 1 Ingrid Verbauwhede, KU Leuven COSIC, ALBENA, July 2013 Outline Transistor CMOS

Page 1 Ingrid Verbauwhede, KU Leuven COSIC, ALBENA, July 2013 Outline Transistor CMOS

Goal Digital Circuits: Fundamental understanding of CMOS circuits why they leak, how to counter Ingrid Verbauwhede So as to build models Ingrid.verbauwhede-at-esat.kuleuven.be And understand short comings of models KU Leuven, COSIC

381 views • 15 slides
Pairings on Elliptic Curves II Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium ECC Summer

Pairings on Elliptic Curves II Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium ECC Summer

Choosing G 1 and G 2 Ate Pairing Optimal Pairing Pairings on Elliptic Curves II Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium ECC Summer School - 2011 Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic

289 views • 24 slides
Public key cryptography on IoT devices Sujoy Sinha Roy COSIC, KU Leuven 1 Small area for HW

Public key cryptography on IoT devices Sujoy Sinha Roy COSIC, KU Leuven 1 Small area for HW

Public key cryptography on IoT devices Sujoy Sinha Roy COSIC, KU Leuven 1 Small area for HW implementations Small code size for SW implementation Low power or energy or both Reasonably fast computation time 2 This talk

676 views • 43 slides
Trusted Platform Module Dries Schellekens COSIC, KU Leuven Nomenclature Trusted versus

Trusted Platform Module Dries Schellekens COSIC, KU Leuven Nomenclature Trusted versus

Trusted Platform Module Dries Schellekens COSIC, KU Leuven Nomenclature Trusted versus trustworthy RFC 4949 (Internet Security Glossary) Trust : A feeling of certainty (sometimes based on inconclusive evidence) either (a) that the system

788 views • 33 slides
Introduction to Power Analysis Benedikt Gierlichs Katholieke Universiteit Leuven COSIC

Introduction to Power Analysis Benedikt Gierlichs Katholieke Universiteit Leuven COSIC

Introduction to Power Analysis Benedikt Gierlichs Katholieke Universiteit Leuven COSIC benedikt.gierlichs@esat.kuleuven.be ECRYPT II Summer School Design and Security of Cryptographic Algorithms and Devices Albena, Bulgaria, 31 May 2011

452 views • 23 slides
Patent Law Prof. Roger Ford March 8, 2016 Class 10 Statutory bars: introduction; public

Patent Law Prof. Roger Ford March 8, 2016 Class 10 Statutory bars: introduction; public

Patent Law Prof. Roger Ford March 8, 2016 Class 10 Statutory bars: introduction; public use Recap Recap priority of invention and 102(g) abandoned, suppressed, or concealed inventions 102(g) as prior art Todays

383 views • 34 slides
Managing Projects with Git (and other command-line skills) Dr. Chris Mayfield Department of

Managing Projects with Git (and other command-line skills) Dr. Chris Mayfield Department of

Managing Projects with Git (and other command-line skills) Dr. Chris Mayfield Department of Computer Science James Madison University Feb 18, 2020 Part 1: Group Repository What is Git/GitHub? Git is a version control system GitHub is a

384 views • 14 slides
The Key-Value SSD as a First-Class Citizen in the 1 Systems Software & Architecture Lab,

The Key-Value SSD as a First-Class Citizen in the 1 Systems Software & Architecture Lab,

Carl Duffy 1 Sang-Hoon Kim 2 Jin-Soo Kim 1 The Key-Value SSD as a First-Class Citizen in the 1 Systems Software & Architecture Lab, Operating System Seoul National University 2 Systems Software Lab, Ajou University Key-value stores

423 views • 8 slides
What's New in Percona Server for MongoDB? 2019 Q3: Enterprise Enhancements and v4.2 4:00 PM -

What's New in Percona Server for MongoDB? 2019 Q3: Enterprise Enhancements and v4.2 4:00 PM -

What's New in Percona Server for MongoDB? 2019 Q3: Enterprise Enhancements and v4.2 4:00 PM - 4:50 PM - Room B About Adamo and Akira Two of the most experienced MongoDB field experts in the world. Adamo w/ MongoDB: 2013 ~ MongoDB: 2009 ~

811 views • 66 slides
Hacking Joshua Lackey, Ph.D. Ph.D., Mathematics. University of Oregon. 1995 2000

Hacking Joshua Lackey, Ph.D. Ph.D., Mathematics. University of Oregon. 1995 2000

Hacking Joshua Lackey, Ph.D. Ph.D., Mathematics. University of Oregon. 1995 2000 Background Senior Ethical Hacker. IBM Global Services. 1999 2005 Security Software Developer. Microsoft SWI Attack Team. 2005

943 views • 62 slides
Mobile Goes Remote 25. september 2012 1 onsdag den 26. september 12 Before going remote...

Mobile Goes Remote 25. september 2012 1 onsdag den 26. september 12 Before going remote...

Mobile Goes Remote 25. september 2012 1 onsdag den 26. september 12 Before going remote... Enablers Purpose Execution 2 onsdag den 26. september 12 Market perspective Check: Critical mass on mobile In your pocket Used everywhere

263 views • 23 slides
Two factor authentication Open, trustworthy and enterprise ready Two factor authentication

Two factor authentication Open, trustworthy and enterprise ready Two factor authentication

Version 1.0 Cornelius Klbel (corny@cornelinux.de) May 2014 (CC BY-NC-SA 4.0) Everybody knows that a password - be it simple or even complex - is a potential vulnerability. Two factor authentication is the way to authenticate a user not only

400 views • 5 slides
Security Patterns for Automotive Systems Betty H.C. Cheng with Bradley Doherty, Nick Polanco, and

Security Patterns for Automotive Systems Betty H.C. Cheng with Bradley Doherty, Nick Polanco, and

9/16/19 Security Patterns for Automotive Systems Betty H.C. Cheng with Bradley Doherty, Nick Polanco, and Matthew Pasco Overview Background Review of threat surfaces Automotive Security Pattern structure Excerpts from Automotive

327 views • 16 slides

More recommend