hold the door fingerprinting your car key
play

Hold The Door! Fingerprinting Your Car Key to Prevent Keyless Entry - PowerPoint PPT Presentation

Aug 25, 2023 •106 likes •487 views

Hold The Door! Fingerprinting Your Car Key to Prevent Keyless Entry Car Theft Kyungho Joo* Wonsuk Choi* Dong Hoon Lee Korea University * Co-first Authors Outline Introduction Attack Model Our Method Evaluation Discussion

  1. Hold The Door! Fingerprinting Your Car Key to Prevent Keyless Entry Car Theft Kyungho Joo* Wonsuk Choi* Dong Hoon Lee Korea University * Co-first Authors

  2. Outline • Introduction • Attack Model • Our Method • Evaluation • Discussion • Conclusion 2

  3. Introduction • Traditional system • Physically insert a key into the keyhole • Inconvenient • Vulnerable to key copying 3

  4. Introduction • Keyless Entry System • Remote Keyless Entry (RKE) System • Passive Keyless Entry and Start (PKES) System • Attacks on Keyless Entry System • Cryptanalysis • Relay Attack • etc. (e.g., Roll-jam) 4

  5. Introduction Verifier Prover Challenge • Countermeasures Time of Flight (T oF) • Distance bounding protocol Response 𝑒 = 𝑑 ∗ ToF 2 • Sensitive to timing error (Propagates at the speed of light) • UWB-IR Ranging System • Efforts are underway (IEEE 802.15.4z Task Group) [1-3] • Requires an entirely new system • Motivation • Device Fingerprint: Exploits hardware imperfection • PHY-layer signal analysis [1] UWB with Pulse Reordering: Securing Ranging against Relay and Physical Layer Attacks (M. Singh et al.) [2] UWB-ED: Distance Enlargement Attack Detection in Ultra-Wideband (M. Singh et al.) 5 [3] Message Time of Arrival Codes: A Fundamental Primitive for Secure Distance Measurement (P. Leu et al.)

  6. Introduction • Contributions • New attack model • Combines all known attack methods; our attack model covers both PKES and RKE systems • Single/Dual-band relay attack, Cryptographic attack • No alterations to the current system • Easily employed by adding a new device that captures and analyzes the ultra-high frequency (UHF) band RF signals emitted from a key fob • Evaluations under varying environmental factors • Temperature variations, NLoS conditions (e.g., a key fob placed in a pocket) and battery aging 6

  7. Introduction • Passive Keyless Entry System • LF band (125~135 kHz, Vehicle) • 1 ~ 2 meter communication range UHF band (433, 858 MHz, Key fob) • • ~100 meter communication range) • Shared cryptographic key between the key and the vehicle Vehicle Key fob 1. Wake up(LF) Periodic Beacon signal 2. Ack(UHF) If Key in communication range 3. ID with challenge(LF) Press button on the door If ID is Correct 4. Key response If correct, unlock the door 7

  8. Introduction • System Model Vehicle BCM (Body Control Module) In-Vehicle Network Key Fob UHF Receiver HODOR UHF Transmitter LF Transmitter Door Controller LF Receiver Power Air Conditioner Controller 8

  9. Outline • Introduction / Background • Attack Model • Our Method • Evaluation • Discussion • Conclusion 9

  10. Attack Model • Coverage • Attacks on PKES and RKE systems implemented with the LF/UHF band RFID communication • Main Objectives of adversary • Unlocking a vehicle • Out of Scope • Excluded other functions, such as an engine start message • Physical damage to a vehicle 10

  11. Attack Model • Single-band Relay Attack [*] • Manipulate LF band signal only • Wired / Wireless Attack LF band UHF band 11 [*] Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars (Aurelien Francillon et al.)

  12. Attack Model • Dual-band Relay Attack ( Ⅰ . Amplification Attack) • Receives LF band signal and forward to the adversary at the key fob side • Injects LF band signal to the key fob • Amplifies UHF band signal and injects to the vehicle LF band UHF band 12

  13. Attack Model • Dual-band Relay Attack ( Ⅱ . Digital Relay Attack) [*] • Demodulate LF/UHF band signal • Relay binary information LF band signal information UHF band signal information 13 [*] Car keyless entry system attack (Yingtao Zeng et al.)

  14. Attack Model • Cryptographic Attack [*] Record LF band signals • Single adversary • Injects LF band signals to the key fob • Records valid responses and extract secret key {𝐷ℎ𝑏𝑚𝑚 1 , 𝑆𝑓𝑡𝑞 1 } {𝐷ℎ𝑏𝑚𝑚 2 , 𝑆𝑓𝑡𝑞 2 } Injects LF band signals • Exploits weaknesses of cryptographic algorithm … (Challenges) Record UHF band signals (Responses) 14 [*] Fast, Furious and Insecure: Passive Keyless Entry and Start Systems in Modern Supercars (Wouters et al.)

  15. Outline • Introduction / Background • Attack Model • Our Method • Evaluation • Discussion • Conclusion 15

  16. Our Method • Overview ( HODOR ) Phase Ⅰ . Phase Ⅱ . Attack Detection Training Newly Received Signal Legitimate Signal Set Pre-processing Pre-processing Feature Extraction Feature Extraction Classifier Generating Classifier Normalized Output Yes Normalization Parameter Verify < Γ Calculation (NPC) No Alarm 16

  17. Our Method • Preprocessing 𝑡[𝑢] 𝑒[𝑢] RMS Band-Pass filter Demodulator Normalization 𝑒 𝑆𝑁𝑇 [𝑢] 𝑑(𝑢) • Feature Extraction 𝑔 𝐵 𝑞𝑓𝑏𝑙 𝐶𝑗𝑢 𝑈𝑗𝑛𝑓 𝑒 𝑆𝑁𝑇 [𝑢] FFT 𝑔 17

  18. 𝐵 Our Method Signal Noise • Feature Extraction (Continue) 𝑔 𝐵 Increase 𝑇𝑂𝑆 𝑒𝐶 Kurtosis Spectral Brightness 𝑢 𝐵 𝑒 𝑆𝑁𝑇 [𝑢] Signal Energy in high frequency band Noise 𝑔 Carrier Frequency offset 𝐵 𝑡[𝑢] Actual Carrier Frequency 𝑔 Ideal Carrier Frequency 18 (i.e. 433MHz)

  19. Our Method • Training • Semi-supervised learning • Only requires legitimate data Normalization • Covers unknown attacks Parameter • OC-SVM, k-NN 90% 𝜈 Classifier Output Training 𝜏 Legitimate data 10% Testing X10 19

  20. Our Method • Attack Detection Newly Received Signal Training Phase 𝜈, 𝜏 Preprocessing Feature Extraction Classifier Normalization No { 𝑔 𝑞𝑓𝑏𝑙 , 𝑇𝑂𝑆 𝑒𝐶 , Kurtosis, < Γ? Spectral Brightness, Yes Carrier Frequency Offset} 20

  21. Outline • Introduction / Background • Attack Model • Our Method • Evaluation • Discussion • Conclusion 21

  22. Evaluation • Experimental Setup • Cars: KIA Soul, Volkswagen Tiguan • SDRs: HackRF One, USRP X310 • SW: GNURadio • Loop Antenna, SMA Cable (Relay LF band signal) 22

  23. Evaluation • Selected Classification Algorithms • One-Class SVM (OC-SVM) with Radial Basis Function (RBF) kernel • k-NN with Standardized Euclidean Distance • MatLab implementation • Performance Metric • Assume False Negative Rate (FNR) as 0% • Calculate False Positive Rate (FPR) 23

  24. Evaluation 5m, 10m, 15m • Single-Band Relay Attack Detection Γ 𝑄𝐿𝐹𝑇 = 4 Γ 𝑄𝐿𝐹𝑇 = 5 Experimental Setup (1 meter) (1 meter) Results (LF band signal relay) (0% FPR in both algorithms) 24

  25. Evaluation 20 ~ 25m • Dual-Band Relay Attack Detection • Amplification Attack Γ 𝑄𝐿𝐹𝑇 = 4 Γ 𝑄𝐿𝐹𝑇 = 5 Experimental Setup Results (UHF band amplification) (0% FPR in both algorithms) 25

  26. Evaluation • Dual-Band Relay Attack Detection • Digital Relay/ Cryptographic Attack HackRF One Attack Device HODOR Laptop USRP X310 Laptop Results Experimental Setup (Average FPR k-NN: 0.65%, SVM:0.27% ) (Cryptographic Attack) 26

  27. Evaluation Location of key fob Location of • Environmental Factors key fob • Non-Line of Sight (NLoS) conditions, Dynamic Channel Conditions Backpack: FPR k-NN: 1.32%, SVM:1.35% Underground: FPR k-NN: 5%, SVM:4% Pocket: FPR k-NN: 1.71%, SVM:1.67% Roadside: FPR k-NN: 2%, SVM:3% 27

  28. Evaluation Key fob HackRF (SDR) • Environmental Factors Dry ice • Signals from RKE system Average FPR k-NN: 6.36%, SVM:0.65% Average FPR k-NN: 0%, SVM:0% 28

  29. Evaluation • Execution time • Implementation on Raspberry Pi • 1.4Ghz Core, 1G RAM • Python Code Total Execution Time K-NN: 163.8ms and SVM: 159.038ms 29

  30. Single-band relay attack Amplification attack Evaluation • Feature Importance Digital relay attack Playback attack 30

  31. Outline • Introduction / Background • Attack Model • Our Method • Evaluation • Discussion • Conclusion 31

  32. Discussions • HODOR and Security • Threshold is a trade-off parameter in HODOR • Small threshold leads to the false alarm; a large threshold leads to the false-negative (attack success) • Feature Impersonation • Adversary must impersonate the whole feature at the same time • Impersonating a specific feature leads to a distortion in other features • Practicality • Develop additional features and algorithms that properly operate even in extreme environments 32

  33. Future Work • Robustness • Comprehensive experiments against feature variations • IEC certified facilities (Temperature, Humidity, Impact) • Incremental/ Decremental learning • Cope with a feature variation (a.k.a Concept drift) • Scalability • Feature collision • Defense against strong attacker equipped with signal-generator • Performance optimization • Low sample rate, memory usage 33

  34. Conclusion • Proposed a sub-authentication system • Supports manufacturer-installed support systems to prevent keyless entry system car theft • Effectively detect simulated attacks that are defined in our attack model • Reducing the number of erroneous detection occurrences (i.e., false alarms) • Found a set of suitable features in a number of environmental conditions • Temperature variation, battery aging, and NLoS conditions 34

  35. HODOR! Q&A (Thank you!) This work was supported by Samsung Electronics

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hold The Door! Fingerprinting Your Car Key to Prevent Keyless Entry Car Theft Kyungho Joo*

Hold The Door! Fingerprinting Your Car Key to Prevent Keyless Entry Car Theft Kyungho Joo*

Hold The Door! Fingerprinting Your Car Key to Prevent Keyless Entry Car Theft Kyungho Joo* Wonsuk Choi* Dong Hoon Lee Korea University * Co-first Authors Outline Introduction Attack Model Our Method Evaluation Discussion

627 views • 34 slides
IMS Single Door Enclosures IMS Two Door Enclosures IMS Single Door with Slave Door

IMS Single Door Enclosures IMS Two Door Enclosures IMS Single Door with Slave Door

IMS Single Door Enclosures IMS Two Door Enclosures IMS Single Door with Slave Door Disconnect IMS Two Door with Slave Door Disconnect Plinth Bases with Black Textured Finish Galvanized Sub-Panels Galvanized Filler Plates

302 views • 29 slides
k -fingerprinting: a Robust Scalable Website Fingerprinting Technique George Danezis Jamie Hayes

k -fingerprinting: a Robust Scalable Website Fingerprinting Technique George Danezis Jamie Hayes

k -fingerprinting: a Robust Scalable Website Fingerprinting Technique George Danezis Jamie Hayes University College London August 12, 2016 1/24 How does website fingerprinting work? - Training Tor network Relay 2 Adversary Relay 1

988 views • 24 slides
The Invisible Door Keeper Q-Door is an innovative door sensor. In Armed Mode setting, it sends an

The Invisible Door Keeper Q-Door is an innovative door sensor. In Armed Mode setting, it sends an

The Invisible Door Keeper Q-Door is an innovative door sensor. In Armed Mode setting, it sends an alarm whenever a door or a window is opened. Additionally, it detects change in humidity , temperature and light and visualizes them on the online

479 views • 11 slides
CO 447 | LEC6 BLOCKCHAIN SECURITY Dr. Benjamin Livshits Stateless Fingerprinting 2 EFF

CO 447 | LEC6 BLOCKCHAIN SECURITY Dr. Benjamin Livshits Stateless Fingerprinting 2 EFF

CO 447 | LEC6 BLOCKCHAIN SECURITY Dr. Benjamin Livshits Stateless Fingerprinting 2 EFF Fingerprinting Tester https://panopticlick.eff.org 3 Panopticlick Testing 4 IE Brave Fingerprinting Components 5

1.28k views • 78 slides
Acoustic Fingerprinting Soundz Jake Runzer June 28, 2018 Jake Runzer Acoustic Fingerprinting

Acoustic Fingerprinting Soundz Jake Runzer June 28, 2018 Jake Runzer Acoustic Fingerprinting

Acoustic Fingerprinting Soundz Jake Runzer June 28, 2018 Jake Runzer Acoustic Fingerprinting June 28, 2018 1 / 35 Outline What is Acoustic Fingerprinting 1 Fingerprinting for Music Identification 2 Spectrograms 3 History 4 My

743 views • 35 slides
Fr ont-door Versus Back-door Adjustment with Unmeasured Confounding: Bias Formulas for Front-door

Fr ont-door Versus Back-door Adjustment with Unmeasured Confounding: Bias Formulas for Front-door

Motivation Illustrative Example: ATT with One-Sided Noncompliance Application: JTPA Fr ont-door Versus Back-door Adjustment with Unmeasured Confounding: Bias Formulas for Front-door and Hybrid Adjustments 1 Adam Glynn and Konstantin Kashin

928 views • 53 slides
Fingerprinting hardware devices Fingerprinting hardware devices using clock-skewing using

Fingerprinting hardware devices Fingerprinting hardware devices using clock-skewing using

Fingerprinting hardware devices Fingerprinting hardware devices using clock-skewing using clock-skewing Renaud Lifchitz renaud.lifchitz@gmail.com #HES2010 8,9,10 April 2010 Paris, France Presenter's bio French computer security

644 views • 35 slides
Custom Touch On Hold CRN ON HOLD A USA Today study

Custom Touch On Hold CRN ON HOLD A USA Today study

Custom Touch On Hold CRN ON HOLD A USA Today study revealed that 85% of callers prefer to hear informaBon while on hold. With silence, 60%

233 views • 4 slides
Blind Elephant: Web Application Fingerprinting &amp; Vulnerability Inferencing Patrick Thomas

Blind Elephant: Web Application Fingerprinting &amp; Vulnerability Inferencing Patrick Thomas

Blind Elephant: Web Application Fingerprinting &amp; Vulnerability Inferencing Patrick Thomas Qualys 7/28/10 Outline Web Apps &amp; Security Existing Fingerprinting Approaches Static File Approach Observations From A Net Survey

832 views • 69 slides
Website fingerprinting attacks against Tor Browser Bundle: a comparison between HTTP/1.1 and

Website fingerprinting attacks against Tor Browser Bundle: a comparison between HTTP/1.1 and

Tor website fingerprinting Website fingerprinting attacks against Tor Browser Bundle: a comparison between HTTP/1.1 and HTTP/2 T.T.N. Marks BSc. K.C.N. Halvemaan BSc. University of Amsterdam System and Network Engineering Research Project #1

664 views • 32 slides
My front door.. 1 2 My front door .. is the vehicle for communication and engagement with

My front door.. 1 2 My front door .. is the vehicle for communication and engagement with

My front door.. 1 2 My front door .. is the vehicle for communication and engagement with all our key stakeholders. o builds on the Learning Disability Strategy and Adult Social Care Vision ensuring the information is o accessible and

432 views • 8 slides
Overview of 2019 AECOM Door County Housing Study Presentation to the Door County Board of

Overview of 2019 AECOM Door County Housing Study Presentation to the Door County Board of

Overview of 2019 AECOM Door County Housing Study Presentation to the Door County Board of Supervisors February 26, 2019 Mariah Goode Background: Housing Efforts in Door County PAST AND ON-GOING WORK Door County Economic Development

416 views • 18 slides
Victory Fire Door Inspections Vickie Evans, FDAI Over 30 years in door and hardware

Victory Fire Door Inspections Vickie Evans, FDAI Over 30 years in door and hardware

Victory Fire Door Inspections Vickie Evans, FDAI Over 30 years in door and hardware industry DHI instructor and Education Advocate Certified Fire Door Inspector Victory Fire Door Inspections To compartmentalize a building

936 views • 75 slides
Response Prompting See school door. Open door and walk through. See boss or fellow employee

Response Prompting See school door. Open door and walk through. See boss or fellow employee

2/24/2017 Stimulus and Response Remember that every behavior is preceded by a stimulus and followed by a consequence. Stimulus Response Bus stops, driver opens door, people Get out of the bus. get up. Response Prompting See school door.

365 views • 4 slides
Timely Topic: 2020-21: ADA Hold Harmless Will there be an ADA hold harmless for FY2021? Yes.

Timely Topic: 2020-21: ADA Hold Harmless Will there be an ADA hold harmless for FY2021? Yes.

DRAFT FOR DISCUSSION Timely Topic: 2020-21: ADA Hold Harmless Will there be an ADA hold harmless for FY2021? Yes. TEA will institute the ADA hold harmless for the first two six-week attendance reporting periods as follows: if an LEAs

241 views • 10 slides
On Practical Selective Jamming of Bluetooth Low Energy Advertising S. Brauer, A. Zubow, S. Zehl,

On Practical Selective Jamming of Bluetooth Low Energy Advertising S. Brauer, A. Zubow, S. Zehl,

On Practical Selective Jamming of Bluetooth Low Energy Advertising S. Brauer, A. Zubow, S. Zehl, M. Roshandel, S. M. Sohi Technical University Berlin &amp; Deutsche Telekom Labs Germany Outline Motivation, Problem Statement, System

655 views • 23 slides
Design Jam Objectives: 1. Introduce Design Thinking Overview 2. Introduce Design Thinking

Design Jam Objectives: 1. Introduce Design Thinking Overview 2. Introduce Design Thinking

Design Jam Objectives: 1. Introduce Design Thinking Overview 2. Introduce Design Thinking Methods 3. Experience a Design Jam How Might We identify aspects of a good How Might We question? Not too broad nor too narrow. If too

735 views • 27 slides
welcome to the power of jamming teacher creativity and paths to student voice please place

welcome to the power of jamming teacher creativity and paths to student voice please place

welcome to the power of jamming teacher creativity and paths to student voice please place yourself in front of an instrument that is not your primary Introductions Katherine Fraser, Music Teacher, Jean Lumb PS, Toronto DSB Mary Moynihan,

168 views • 16 slides
Totality Traffic Jam Ted Trepanier 1 INRIX Technology Platform Big data &amp; analytics

Totality Traffic Jam Ted Trepanier 1 INRIX Technology Platform Big data &amp; analytics

Totality Traffic Jam Ted Trepanier 1 INRIX Technology Platform Big data &amp; analytics platform ingests multiple sources of data and combines technologies to create innovative solutions Incide ident data ta Mobile dat data Traffic Par

745 views • 28 slides
WINLAB Rutgers, The State University of New Jersey www.winlab.rutgers.edu Contact: Rob Miller

WINLAB Rutgers, The State University of New Jersey www.winlab.rutgers.edu Contact: Rob Miller

Jamming MIMO Communications Jamming MIMO Communications WINLAB Rutgers, The State University of New Jersey www.winlab.rutgers.edu Contact: Rob Miller rdmiller@winlab.rutgers.edu So just what is this guy talking about? So just what is this

493 views • 28 slides
WELCOME As you walk around the room, describe a time that you experienced each form of kindness.

WELCOME As you walk around the room, describe a time that you experienced each form of kindness.

WELCOME As you walk around the room, describe a time that you experienced each form of kindness. What happened? Were you the giver, receiver or observer? What did it feel like? KINDNESS An approach to embedded professional Learning WHY

448 views • 15 slides
Network Serialization and Routing in World of Warcraft Joe Rumsey jrumsey@blizzard.com Twitter:

Network Serialization and Routing in World of Warcraft Joe Rumsey jrumsey@blizzard.com Twitter:

Network Serialization and Routing in World of Warcraft Joe Rumsey jrumsey@blizzard.com Twitter: @joerumz What is JAM? J oes A utomated M essages The Problem Game servers need to communicate with each other Manual serialization is

1.78k views • 131 slides
AP0 Target Status and Plans Ralph Ford, Yun He TSD Topical Meeting Jan. 17, 2019 Outline

AP0 Target Status and Plans Ralph Ford, Yun He TSD Topical Meeting Jan. 17, 2019 Outline

AP0 Target Status and Plans Ralph Ford, Yun He TSD Topical Meeting Jan. 17, 2019 Outline AP0 Target Status T18 in AP0 Alcove Modifications to T19 Target Design Fabrication and Assembling Process T19 Rotation Testing on Test

318 views • 9 slides

More recommend