relay attacks on passive keyless entry and start systems
play

Relay Attacks on Passive Keyless Entry and Start Systems in Modern - PowerPoint PPT Presentation

Jun 18, 2023 •296 likes •552 views

Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars Aurlien Francillon, Boris Danev, Srdjan apkun Monday February 7, 2011 System Security Group 1 Modern Cars Evolution Increasing amount of electronics in cars

  1. Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars Aurélien Francillon, Boris Danev, Srdjan � apkun Monday February 7, 2011 System Security Group 1

  2. Modern Cars Evolution � Increasing amount of electronics in cars � For convenience and security and safety Entertainment Engine control Distance radar TPMS (Usenix Security 2010) On board computers and networks Key systems (S&P 2010) Monday February 7, 2011 System Security Group 2

  3. Agenda 1. Overview of Car Key Systems 2. Passive Keyless Entry and Start Systems 3. Relay Attacks 4. Analysis on 10 models 5. Conclusion Monday February 7, 2011 System Security Group 3

  4. 4 Categories of Key Systems � Metallic key � Remote active open � Immobilizer chips � Passive Keyless Entry and Start Monday February 7, 2011 System Security Group 4

  5. Car Keys Active Remote Open � Active keys: � Press a button to open the car � Physical key to start the car � Need to be close (<100m) � Shared cryptographic key between the key and the car � Previous attacks: weak crytpography � e.g. Keeloq (Eurocrypt 2008, Crypto 2008, Africacrypt 2009) Monday February 7, 2011 System Security Group 5

  6. Keys With Immobilizer Chips � Immobilizer chips � Passive RFID � Authorizes to start the engine � Close proximity: centimeters � Are present in most cars today � With metallic key � With remote open � Shared cryptographic key between the key and the car � Previous attacks: weak cryptography � e.g. TI DST Usenix Security 2005 Monday February 7, 2011 System Security Group 6

  7. Passive Keyless Entry and Start � PKES � Need to be close (<2m) and the car opens � Need to be in the car to start the engine � No need for human action on the key Monday February 7, 2011 System Security Group 7

  8. Passive Keyless Entry and Start 1. Periodic scan (LF) 2. Acknowledge proximity (UHF) 3. Car ID || Challenge (LF) 4. Key Response (UHF) LF (120 – 135 KHz), (1-2 meters) UHF (315 – 433 MHz), (50-100 meters) Monday February 7, 2011 System Security Group 8

  9. Main Idea of PKES systems � Cryptographic key authentication with challenge response � Replaying old signals impossible � Timeouts, freshness � Car to Key: inductive low frequency signals � Signal strength ~ d -3 � Physical proximity � Detected by reception of messages � Induced in key’s antenna � The system is vulnerable to relay attacks Monday February 7, 2011 System Security Group 9

  10. Relay-over-cable Attack on PKES � Very low cost attack (~50€) � Authentication do not prevent it Monday February 7, 2011 System Security Group 10

  11. Physical Layer Relay With Cable Monday February 7, 2011 System Security Group 11

  12. Relay Over the Air Attack Tested up to 50 m � Higher cost, (~1000 $) � Fast and difficult to detect � Authentication do not prevent it Monday February 7, 2011 System Security Group 12

  13. Physical Layer Wireless Relay 2.5 GHz Monday February 7, 2011 System Security Group 13

  14. Analysis on 10 Models � Car models with PKES � 10 models from 8 manufacturers � All use LF/UHF technology � None uses the exact same protocol � Form recorded traces � Some use longer messages � Strong crypto? Monday February 7, 2011 System Security Group 14

  15. Relay Over Cable vs. Model No Amplification Amplification M9 � Cables M8 � 10, 30 and 60m M7 � Longer distances M6 � Depend on the setup M5 M3 M2 M1 10 30 60 Distance [m] Monday, February 07, 2011 System Security Group 15

  16. Key to Antenna Distance Open - Key to Antenna Distance vs. Model Go - Key to Antenna Distance vs. Model M9 M9 M8 M8 M7 M7 M6 M6 M5 M5 M2 M2 No Amplification No Amplification Amplification Amplification 0 2 4 6 8 0 2 4 6 8 Distance [m] Distance [m] Monday February 7, 2011 System Security Group 16

  17. How Much Delay is Accepted by the Car ? � The maximum distance of relay depends on � Acceptable delay � Speed of radio waves (~ speed of light ) � Possibility to relay at higher levels ? � E.g. relay over IP ? � To know that we need to delay radio signals � Various lengths of cable: not practical � Scope/signal generator: too slow � Software Defined Radios: still too slow Monday February 7, 2011 System Security Group 17

  18. Inserting a Tunable Delay � We used a Software Defined Radio: USRP/Gnuradio � Minimum delay 15ms � Samples processed by a computer � Delays added by the USB bus � We modified the USRP’s FPGA to add tunable delays � From 5µs to 10ms � Buffering samples on the device � Samples directly replayed � Without processing on the computer Monday February 7, 2011 System Security Group 18

  19. Maximum Accepted Delay vs. Model Maximum Accepted Delay vs. Model 35 µs => 5 Km M10 M9 M8 M7 10 ms => 1500 Km M6 M5 M4 � Non physical layer M2 relays difficult with M1 most models 0.5 2 4 6 8 10 Delay [ms] Monday February 7, 2011 System Security Group 19

  20. Implications of The Attack � Relay on a parking lot � One antenna near the elevator � Attacker at the car while car owner waits for the elevator � Keys in locked house, car parked in front of the house � E.g. keys left on the kitchen table � Put an antenna close to the window, � Open and start the car without entering the house � Tested in practice Monday February 7, 2011 System Security Group 20

  21. Additionnal Insights � When started the car can be driven away without maintaining the relay � It would be dangerous to stop the car when the key is not available anymore � Some beep, some limit speed � No trace of entry/start � Legal / Insurance issues Monday February 7, 2011 System Security Group 21

  22. Countermeasures � Immediate protection mechanisms � Shield the key � Remove the battery � Seriously reduces the convenience of use � Long term � Build a secure system that securely verifies proximity � e.g. : Realization of RF Distance bounding � Usenix Security 2010 Still some challenges to address before a usable system Monday February 7, 2011 System Security Group 22

  23. Conclusion � This is a simple concept, yet extremely efficient attack � Real world use of physical layer relay attacks � Relays at physical layer are extremely fast, efficient � All tested systems so far are vulnerable � Completely independent of � Protocols, authentication, encryption � Techniques to perform secure distance measurement are required, on a budget � Still an open problem Monday February 7, 2011 System Security Group 23

  24. Questions ? Contact : Aurélien Francillon aurelien.francillon@inf.ethz.ch Boris Danev bdanev@inf.ethz.ch Srdjan Capkun capkuns@inf.ethz.ch Monday February 7, 2011 System Security Group 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ON THE (IN)SECURITY OF AUTOMOTIVE REMOTE KEYLESS ENTRY SYSTEMS FLAVIO GARCIA, DAVID OSWALD, TIMO

ON THE (IN)SECURITY OF AUTOMOTIVE REMOTE KEYLESS ENTRY SYSTEMS FLAVIO GARCIA, DAVID OSWALD, TIMO

LOCK IT AND STILL LOSE IT ON THE (IN)SECURITY OF AUTOMOTIVE REMOTE KEYLESS ENTRY SYSTEMS FLAVIO GARCIA, DAVID OSWALD, TIMO KASPER, PIERRE PAVLIDES PRESENTED BY JACOB BEDNARD, WAYNE STATE UNIVERSITY CSC5991 MAJOR CONTRIBUTIONS VW Group

668 views • 40 slides
Hold The Door! Fingerprinting Your Car Key to Prevent Keyless Entry Car Theft Kyungho Joo*

Hold The Door! Fingerprinting Your Car Key to Prevent Keyless Entry Car Theft Kyungho Joo*

Hold The Door! Fingerprinting Your Car Key to Prevent Keyless Entry Car Theft Kyungho Joo* Wonsuk Choi* Dong Hoon Lee Korea University * Co-first Authors Outline Introduction Attack Model Our Method Evaluation Discussion

627 views • 34 slides
Hold The Door! Fingerprinting Your Car Key to Prevent Keyless Entry Car Theft Kyungho Joo*

Hold The Door! Fingerprinting Your Car Key to Prevent Keyless Entry Car Theft Kyungho Joo*

Hold The Door! Fingerprinting Your Car Key to Prevent Keyless Entry Car Theft Kyungho Joo* Wonsuk Choi* Dong Hoon Lee Korea University * Co-first Authors Outline Introduction Attack Model Our Method Evaluation Discussion

487 views • 37 slides
NFC Payments: The Art of Relay &amp; Replay Attacks Who are we? Troopers 2018? NFC

NFC Payments: The Art of Relay &amp; Replay Attacks Who are we? Troopers 2018? NFC

NFC Payments: The Art of Relay &amp; Replay Attacks Who are we? Troopers 2018? NFC Replay/Relay @Netxing @L_AGalloway Content Terminology Replay Attack Intro to NFC Relay Attack EMV Flow Process Extracting

1.09k views • 65 slides
Car security: remote keyless entry and go Dick Visser and Jarno van de Moosdijk June 2009

Car security: remote keyless entry and go Dick Visser and Jarno van de Moosdijk June 2009

Introduction Theory Results Conclusion Car security: remote keyless entry and go Dick Visser and Jarno van de Moosdijk June 2009 Dick Visser and Jarno van de Moosdijk Car security: remote keyless entry and go Introduction

388 views • 24 slides
Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine Universit e catholique de Louvain, Belgium Information Security Group SUMMARY RFID Background Relay Attacks Countermeasures and Evolved Frauds

633 views • 40 slides
Relay Attacks in EMV Contactless Cards with Android OTS Devices e Vila , Ricardo J. Rodr

Relay Attacks in EMV Contactless Cards with Android OTS Devices e Vila , Ricardo J. Rodr

Relay Attacks in EMV Contactless Cards with Android OTS Devices e Vila , Ricardo J. Rodr guez Jos pvtolkien@gmail.com, rj.rodriguez@unileon.es All wrongs reversed Computer Science and Research Institute of Systems

1.23k views • 57 slides
Defeating Relay Attacks in NFC Payments Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE

Defeating Relay Attacks in NFC Payments Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE

Defeating Relay Attacks in NFC Payments Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2014 distance-bounding SDTA 14 1 / 42 Relay Attacks 1 Distance-Bounding Protocols 2 3 Asymmetric DB Protocols

1.02k views • 42 slides
Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine Universit e catholique de Louvain, Belgium Information Security Group SUMMARY RFID Background Relay Attacks Distance Bounding Protocols Conclusion

666 views • 53 slides
Relay Attacks and Distance Bounding Protocols Gildas Avoine Universit e catholique de Louvain,

Relay Attacks and Distance Bounding Protocols Gildas Avoine Universit e catholique de Louvain,

Relay Attacks and Distance Bounding Protocols Gildas Avoine Universit e catholique de Louvain, Belgium Workshop on Cryptography for the Internet of Things November 20 21, 2012, Antwerp, Belgium SUMMARY Relay Attacks Distance Bounding

349 views • 21 slides
NFC Payments: The Art of Relay &amp; Replay Attacks Who am I? Security Researcher

NFC Payments: The Art of Relay &amp; Replay Attacks Who am I? Security Researcher

NFC Payments: The Art of Relay &amp; Replay Attacks Who am I? Security Researcher Samsung Pay Exploiting Mag-stripe info with Bluetooth audio Co-founder of Women in Tech Fund @Netxing (WomenInTechFund.org) Content

1.07k views • 73 slides
Improving performance in delay/disruption tolerant networks through passive relay points Saeed

Improving performance in delay/disruption tolerant networks through passive relay points Saeed

Wireless Netw (2012) 18:931 DOI 10.1007/s11276-011-0384-1 Improving performance in delay/disruption tolerant networks through passive relay points Saeed Shahbazi Shanika Karunasekera Aaron Harwood Published online: 30 September 2011

605 views • 23 slides
Experiences on NFC Relay Attacks with Android: Virtual Pickpocketing Revisited e Vila ,

Experiences on NFC Relay Attacks with Android: Virtual Pickpocketing Revisited e Vila ,

Experiences on NFC Relay Attacks with Android: Virtual Pickpocketing Revisited e Vila , Ricardo J. Rodr guez Jos 594190@unizar.es, rj.rodriguez@unileon.es All wrongs reversed University of Zaragoza, Spain RIASC,

1.03k views • 53 slides
Distance Bounding for RFID Prof. Gildas Avoine Universit e catholique de Louvain, Belgium

Distance Bounding for RFID Prof. Gildas Avoine Universit e catholique de Louvain, Belgium

Distance Bounding for RFID Prof. Gildas Avoine Universit e catholique de Louvain, Belgium Information Security Group SUMMARY Relay Attacks Distance Bounding Protocols Discussion RELAY ATTACKS Relay Attacks Distance Bounding Protocols

330 views • 28 slides
Practical Experiences on NFC Relay Attacks with Android Virtual Pickpocketing Revisited e Vila

Practical Experiences on NFC Relay Attacks with Android Virtual Pickpocketing Revisited e Vila

Practical Experiences on NFC Relay Attacks with Android Virtual Pickpocketing Revisited e Vila 1 and Ricardo J. Rodr Jos guez 2 1 DIIS, University of Zaragoza, Spain 2 Research Institute of Applied Sciences in Cybersecurity, University

337 views • 17 slides
Research Project I PROTECTING AGAINST RELAY ATTACKS FORGING INCREASED DISTANCE REPORTS Xavier

Research Project I PROTECTING AGAINST RELAY ATTACKS FORGING INCREASED DISTANCE REPORTS Xavier

SYSTEM AND NETWORK ENGINEERING MSc Research Project I PROTECTING AGAINST RELAY ATTACKS FORGING INCREASED DISTANCE REPORTS Xavier Torrent Gorjn xavier.torrentgorjon@os3.nl Supervisors: Paul van Iterson Jordi van

263 views • 23 slides
RANDY G. FISCHER Discusses potential characteristics of an active shooter Potential warning

RANDY G. FISCHER Discusses potential characteristics of an active shooter Potential warning

RANDY G. FISCHER Discusses potential characteristics of an active shooter Potential warning signs for an active shooter Strategies for surviving an incident Law Enforcements response to an active shooter incident Incidents of Active Shooters

745 views • 35 slides
Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA

Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA

Side Channel Attacks and Countermeasures for Embedded Systems Job de Haas Black Hat USA August 2, 2007 Black Hat USA 2007 Agenda Advances in Embedded Systems Security From USB stick to game console Current attacks

533 views • 41 slides
Q3FY19 Standalone Highlights Q3FY19 LOANS NIM* P A T NET NPA ` 1,291 cr 4.33% ` 196,432 cr

Q3FY19 Standalone Highlights Q3FY19 LOANS NIM* P A T NET NPA ` 1,291 cr 4.33% ` 196,432 cr

INVESTOR PRESENTATION Q3FY19 Standalone Highlights Q3FY19 LOANS NIM* P A T NET NPA ` 1,291 cr 4.33% ` 196,432 cr 0.71% [ ` 1,053 cr] [4.27%] [ ` 159,071 cr] [1.09%] CAR TOTAL CASA BRANCHES 18.1% # ASSETS [18.7%] Tier I 1,453

609 views • 37 slides
Investors Presentation September 2010 Disclaimer All forward-looking statements are Ingenico

Investors Presentation September 2010 Disclaimer All forward-looking statements are Ingenico

Investors Presentation September 2010 Disclaimer All forward-looking statements are Ingenico managements present expectations of future events and are subject to a number of factors and uncertainties that could cause actual results to differ

572 views • 35 slides
Active Shooter Guidance Training Overview Rihana Ahmad Manager, State Plan and Self-Advocacy

Active Shooter Guidance Training Overview Rihana Ahmad Manager, State Plan and Self-Advocacy

Active Shooter Guidance Training Overview Rihana Ahmad Manager, State Plan and Self-Advocacy Credits Special thanks to everyone who supported the development and release of the Active Shooter Training and Drill ToolBox: 2 Number of Number

299 views • 27 slides
Automatic Network Protection Scenarios Using NetFlow Vojt ch Krm ek, Jan Vykopal

Automatic Network Protection Scenarios Using NetFlow Vojt ch Krm ek, Jan Vykopal

Automatic Network Protection Scenarios Using NetFlow Vojt ch Krm ek, Jan Vykopal {krmicek|vykopal}@ics.muni.cz FloCon 2012 January 9-12, Austin, Texas Part I Flow-based Network Protection Krmicek et al. Automatic Network Protection

478 views • 23 slides
The Office of Infrastructure Protection National Protection and Programs Directorate Department

The Office of Infrastructure Protection National Protection and Programs Directorate Department

The Office of Infrastructure Protection National Protection and Programs Directorate Department of Homeland Security Active Threat Options for Consideration Run Hide Fight Todays Discussion Training vs. Facilitated Discussion Tools

352 views • 24 slides
Licensure Under Attack Todays Panelists Mark Golden, CAE, FASAE National Society of

Licensure Under Attack Todays Panelists Mark Golden, CAE, FASAE National Society of

Licensure Under Attack Todays Panelists Mark Golden, CAE, FASAE National Society of Professional Engineers Executive Director Jerry Carter National Council of Examiners for Engineering and Surveying Chief Executive Officer Melissa

611 views • 31 slides

More recommend