Gone in 360 Seconds: Hijacking with Hitag2

Roel Verdult Flavio D. Garcia Josep Balasch

Institute for Computing and Information Sciences KU Leuven ESAT/COSIC and IBBT
Radboud University Nijmegen, The Netherlands. Kasteelpark Arenberg 10, 3001 Heverlee, Belgium
{rverdult,flaviog}@cs.ru.nl josep.balasch@esat.kuleuven.be
Abstract
An electronic vehicle immobilizer is an anti-theft device
which prevents the engine of the vehicle from starting
unless the corresponding transponder is present. Such a
transponder is a passive RFID tag which is embedded in
the car key and wirelessly authenticates to the vehicle.
It prevents a perpetrator from hot-wiring the vehicle or
starting the car by forcing the mechanical lock. Having
such an immobilizer is required by law in several coun-
tries. Hitag2, introduced in 1996, is currently the most
widely used transponder in the car immobilizer industry.
It is used by at least 34 car makes and tted in more
than 200 different car models. Hitag2 uses a propriet-
ary stream cipher with 48-bit keys for authentication and
condentiality. This article reveals several weaknesses
in the design of the cipher and presents three practical at-
tacks that recover the secret key using only wireless com-
munication. The most serious attack recovers the secret
key from a car in less than six minutes using ordinary
hardware. This attack allows an adversary to bypass the
cryptographic authentication, leaving only the mechan-
ical key as safeguard. This is even more sensitive on
vehicles where the physical key has been replaced by a
keyless entry system based on Hitag2. During our exper-
iments we managed to recover the secret key and start the
engine of many vehicles from various makes using our
transponder emulating device. These experiments also
revealed several implementation weaknesses in the im-
mobilizer units.
1 Introduction
In the past, most cars relied only on mechanical keys to
prevent a hijacker from stealing the vehicle. Since the
90s most car manufacturers incorporated an electronic
car immobilizer as an extra security mechanism in their
vehicles. From 1995 it is mandatory that all cars sold in
the EU are tted with such an immobilizer device, ac-
cording to European directive 95/56/EC. Similar regula-
tions apply to other countries like Australia, New Zeal-
and (AS/NZS 4601:1999) and Canada (CAN/ULC S338-
98). An electronic car immobilizer consists of two main
components: a small transponder chip which is embed-
ded in (the plastic part of) the car key, see Figure 1; and
a reader which is located somewhere in the dashboard of
the vehicle and has an antenna coil around the ignition,
see Figure 2.
Figure 1: Car keys with a Hitag2 transponder/chip
The transponder is a passive RFID tag that operates at a
low frequency wave of 125 kHz. It is powered up when
it comes in proximity range of the electronic eld of the
reader. When the transponder is absent, the immobilizer
unit prevents the vehicle from starting the engine.
Figure 2: Immobilizer unit around the ignition barrel
A distinction needs to be made with remotely operated
central locking system, which opens the doors, is bat-
tery powered, operates at a ultra-high frequency (UHF)
of 433 MHz, and only activates when the user pushes a
1
button on the remote key. More recent car keys are of-
ten deployed with a hybrid chip that supports the battery
powered ultra-high frequency as well as the passive low
frequency communication interface.
With the Hitag2 family of transponders, its manu-
facturer NXP Semiconductors (formerly Philips Semi-
conductors) leads the immobilizer market [34]. Fig-
ure 4 shows a list containing some of the vehicles that
are deployed with a Hitag2 transponder. Even though
NXP boosts Unbreakable security levels using mutual
authentication, challenge-response and encrypted data
communication
1
, it uses a shared key of only 48 bits.
Since 1988, the automotive industry has moved to-
wards the so-called keyless ignition or keyless entry in
their high-end vehicles [26]. In such a vehicle the mech-
anical key is no longer present and it has been replaced
by a start button like the one shown in Figure 3. The only
anti-theft mechanism left in these vehicles is the immob-
ilizer. Startlingly, many keyless ignition or entry vehicles
sold nowadays are still based on the Hitag2 cipher. In
some keyless entry cars Hitag2 is also used as a backup
mechanism for opening the doors, e.g., when the battery
of the remote is depleted.
Figure 3: Keyless hybrid transponder and engine
start/stop button
Related work
A similar immobilizer transponder is produced by Texas
Instruments under the name Digital Signature Transpon-
der (DST). It is protected by a different proprietary cryp-
tographic algorithmthat uses a secret key of only 40 bits.
The workings of these algorithms are reversed engin-
eered by Bono et al. in [10]. Francillon et al. demon-
strated in [18] that is possible to relay in real-time the
(encrypted) communication of several keyless entry sys-
tems. The article shows that in some cases such a com-
munication can be intercepted over a distance of at least
100 meters.
1
http://www.nxp.com/products/automotive/
car access immobilizers/immobilizer/
Make Models
Acura CSX, MDX, RDX, TL, TSX
Alfa Romeo 156, 159, 166, Brera, Giulietta, Mito, Spider
Audi A8
Bentley Continental
BMW Serie 1, 5, 6, 7, all bikes
Buick Enclave, Lucerne
Cadillac BLS, DTS, Escalade, SRX, STS, XLR
Chevrolet
Avanlache, Caprice, Captiva, Cobalt, Equinox, Express, HHR
Impala, Malibu, Montecarlo, Silverado, Suburban, Tahoe
Trailblazer, Uplander
Chrysler
300C, Aspen, Grand Voyager, Pacica, Pt Cruiser, Sebring
Town Country, Voyager
Citroen
Berlingo, C-Crosser, C2, C3, C4, C4 Picasso, C5, C6, C8
Nemo, Saxo, Xsara, Xsara Picasso
Dacia Duster, Logan, Sandero
Daewoo Captiva, Windstorm
Dodge
Avenger, Caliber, Caravan, Charger, Dakota, Durango
Grand Caravan, Journey, Magnum, Nitro, Ram
Fiat
500, Bravo, Croma, Daily, Doblo, Fiorino, Grande Punto
Panda, Phedra, Ulysse, Scudo
GMC Acadia, Denali, Envoy, Savana, Siera, Terrain, Volt, Yukon
Honda
Accord, Civic, CR-V, Element, Fit, Insight, Stream,
Jazz, Odyssey, Pilot, Ridgeline, most bikes
Hummer H2, H3
Hyundai
130, Accent, Atos Prime, Coupe, Elantra, Excel, Getz
Grandeur, I30, Matrix, Santafe, Sonata, Terracan, Tiburon
Tucoson, Tuscanti
Isuzu D-Max
Iveco 35C11, Eurostar, New Daily, S-2000
Jeep
Commander, Compass, Grand Cherokee, Liberty, Patriot
Wrangler
Kia
Carens, Carnival, Ceed, Cerato, Magentis, Mentor, Optima
Picanto, Rio, Sephia, Sorento, Spectra, Sportage
Lancia Delta, Musa, Phedra
Mini Cooper
Mitsubishi
380, Colt, Eclipse, Endeavor, Galant, Grandis, L200
Lancer, Magna, Outlander, Outlander, Pajero, Raider
Nissan
Almera, Juke, Micra, Pathnder, Primera, Qashqai, Interstar
Note, Xterra
Opel
Agila, Antara, Astra, Corsa, Movano, Signum, Vectra
Vivaro, Zara
Peugeot
106, 206, 207, 307, 406, 407, 607, 807, 1007, 3008, 5008
Beeper, Partner, Boxer, RCZ
Pontiac G5, G6, Pursuit, Solstice, Torrent
Porsche Cayenne
Renault
Clio, Duster, Kangoo, Laguna II, Logan, Master
Megane, Modus, Sandero, Trac, Twingo
Saturn Aura, Outlook, Sky, Vue
Suzuki Alto, Grand Vitara, Splash, Swift, Vitara, XL-7
Volkswagen Touareg, Phaeton
Figure 4: Vehicles using Hitag2 [29] boldface indicates
vehicles we tested
The history of the NXP Hitag2 family of transpon-
ders overlaps with that of other security products de-
signed and deployed in the late nineties, such as Kee-
loq [8, 13, 27, 28], MIFARE Classic [12, 19, 22, 35],
CryptoMemory [4, 5, 23] or iClass [20, 21]. Originally,
2
information on Hitag2 transponders was limited to data
sheets with high level descriptions of the chips function-
ality [36], while details on the proprietary cryptographic
algorithms were kept secret by the manufacturer. This
phase, in which security was strongly based on obscur-
ity, lasted until in 2007 when the Hitag2 inner workings
were reverse engineered [47]. Similarly to its prede-
cessor Crypto1 (used in MIFARE Classic), the Hitag2
cipher consists of a 48 bit Linear Feedback Shift Register
(LFSR) and a non-linear lter function used to output
keystream. The publication of the Hitag2 cipher attrac-
ted the interest of the scientic community. Courtois et
al. [14] were the rst to study the strength of the Hitag2
stream cipher to algebraic attacks by transforming the
cipher state into a system of equations and using SAT
solvers to performkey recovery attacks. Their most prac-
tical attack requires two days computation and a total of
four eavesdropped authentication attempts to extract the
secret key. A more efcient attack, requiring 16 chosen
initialization vectors (IV) and six hours of computations,
was also proposed. However, and as noted by the au-
thors themselves, chosen-IV attacks are prevented by the
Hitag2 authentication protocol (see Sect. 3.5), thus mak-
ing this attack unfeasible in practice.
In [42], Soos et al. introduced a series of optimizations
on SAT solvers that made it possible to reduce the attack
time of Curtois et al. to less than 7 hours. More recently,

Stembera and Novotn y [45] implemented a brute-force

attack that could be carried out in less than two hours by
using the COPACOBANA
2
high-performance cluster of
FPGAs. Note however, that such attack would require
about 4 years if carried out on a standard PC. Finally,
Sun et. al [44] tested the security of the Hitag2 cipher
against cube attacks. Although according to their results
the key can be recovered in less than a minute, this attack
requires chosen initialization vectors and thus should be
regarded as strictly theoretical.
Our contribution
In this paper, we show a number of vulnerabilities in the
Hitag2 transponders that enable an adversary to retrieve
the secret key. We propose three attacks that extract the
secret key under different scenarios. We have implemen-
ted and successfully executed these attacks in practice on
more than 20 vehicles of various make and model. On all
these vehicles we were able to use an emulating device
to bypass the immobilizer and start the vehicle.
Concretely, we found the following vulnerabilities in
Hitag2.
The transponder lacks a pseudo-random number
generator, which makes the authentication proced-
2
http://www.copacobana.org
ure vulnerable to replay attacks. Moreover, the
transponder provides known data when a read com-
mand is issued on the block where the transponders
identity is stored, allowing to recover keystream.
Redundancy in the commands allow an adversary
to expand this keystream to arbitrary lengths. This
means that the transponder provides an arbitrary
length keystream oracle.
With probability 1/4 the output bit of the cipher is
determined by only 34 bits of the internal state. As
a consequence, (on average) one out of four authen-
tication attempts leaks one bit of information about
the secret key.
The 48 bit internal state of the cipher is only ran-
domized by a nonce of 32 bits. This means that 16
bits of information over the secret key are persistent
throughout different sessions.
We exploit these vulnerabilities in the following three
practical attacks.
The rst attack exploits the malleability of the
cipher and the fact that the transponder does not
have a pseudo-random number generator. It uses a
keystreamshifting attack following the lines of [16].
This allows an adversary to rst get an authentica-
tion attempt from the reader which can later be re-
played to the transponder. Exploiting the malleab-
ility of the cipher, this can be used to read known
plaintext (the identity of the transponder) and re-
cover keystream. In a new session the adversary can
use this keystream to read any other memory block
(with exception of the secret key when congured
correctly) within milliseconds. When the key is not
read protected, this attack can also be used to read
the secret key. This was in fact the case for most
vehicles we tested from a French car make.
The second attack is slower but more general in
the sense that the same attack strategy can be ap-
plied to other LFSR based ciphers. The attack uses
a time/memory tradeoff as proposed in [3, 6, 7,
11, 25, 38]. Exploiting the linear properties of the
LFSR, we are able to efciently generate the lookup
table, reducing the complexity from 2
48
to 2
37
en-
cryptions. This attack recovers the secret key re-
gardless of the read protection conguration of the
transponder. It requires 30 seconds of communica-
tion with the transponder and another 30 seconds to
perform 2000 table lookups.
The third attack is also the most powerful, as it only
requires a few authentication attempts from the car
immobilizer to recover the secret key (assuming that
3
the adversary knows a valid transponder id). This
cryptanalytic attack exploits dependencies among
different sessions and a low degree determination
of the lter function used in the cipher. In order to
execute this attack, an adversary rst gathers 136
partial authentication attempts from the car. This
can be done within one minute. Then, the adversary
needs to perform2
35
operations to recover the secret
key. This takes less than ve minutes on an ordinary
laptop.
Furthermore, besides looking into the security aspects of
Hitag2 we also study how it is deployed and integrated
in car immobilizer systems by different manufacturers.
Our study reveals that in many vehicles the transponder
is miscongured by having readable or default keys, and
predictable passwords, whereas the immobilizer unit em-
ploys weak pseudo-random number generators. All cars
we tested use identier white-listing as an additional se-
curity mechanism. This means that in order to use our
third attack to hijack a car, an adversary rst needs to
eavesdrop, guess or wirelessly pickpocket a legitimate
transponder id, see Section 7.5.
Following the principle of responsible disclosure, we
have contacted the manufacturer NXP and informed
them of our ndings six months ahead of publication.
We have also provided our assistance in compiling a doc-
ument to inform their customers about these vulnerabil-
ities. The communication with NXP has been friendly
and constructive. NXP encourages the automotive in-
dustry for years to migrate to more secure products that
incorporate strong and community-reviewed ciphers like
AES [15]. It is surprising that the automotive industry
is reluctant to migrate to secure products given the cost
difference of a better chip ( 1 USD) in relation to the
prices of high-end car models (50, 000 USD).
2 Hardware setup
Before diving into details about Hitag2, this section in-
troduces the experimental platform we have developed
in order to carry out attacks in real-life deployments of
car immobilizer systems. In particular, we have built
a portable and highly exible setup allowing us to i)
eavesdrop communications between Hitag2 readers and
transponders, ii) emulate a Hitag2 reader, and iii) emu-
late a Hitag2 transponder. Figure 5 depicts our setup in
the setting of eavesdropping communications between a
reader and a transponder.
The central element of our experimental platform
is the Proxmark III board
3
, originally developed by
Jonathan Westhues
4
, and designed to work with RFID
3
http://www.proxmark.org
4
http://cq.cx/proxmark3.pl
Figure 5: Experimental setup for eavesdropping
transponders ranging from low frequency (125 kHz) to
high frequency (13.56 MHz). The Proxmark III board
cost around 200 USD and comes equipped with a FPGA
and an ARM microcontroller. Low-level RF operations
such as modulation/demodulation are carried out by the
FPGA, whereas high-level operations such as encod-
ing/decoding of frames are performed in the microcon-
troller.
Hitag2 tags are low frequency transponders used in
proximity area RFID applications [36]. Communication
fromreader to transponder is encoded using Binary Pulse
Length Modulation (BPLM), whereas from transponder
to reader it can be encoded using either Manchester or
Biphase coding. In order to eavesdrop, generate, and
read communications from reader to transponder, we ad-
ded support for encoding/decoding BPLM signals, see
Figure 6.
Figure 6: Reader modulation of a read command
For the transponder side, we have also added the func-
tionalities to support the Manchester coding scheme as
shown in Figure 7.
Figure 7: Communication from transponder to reader
4
3 Hitag2
This section describes Hitag2 in detail. Most of this in-
formation is in the public domain. We rst describe the
Hitag2 functionality, memory structure, and communic-
ation protocols, this comes mostly from the product data
sheet [36]. Then we describe the cipher and the authen-
tication protocol which was previously reverse engin-
eered in [47]. In Section 3.7 we show that it is possible
to run the cipher backwards which we use in our attacks.
We rst need to introduce some notation. Let F
2
=
{0, 1} the eld of two elements (or the set of Booleans).
The symbol denotes exclusive-or (XOR) and 0
n
de-
notes a bitstring of n zero-bits. Given two bitstrings x and
y, xy denotes their concatenation. x denotes the bitwise
complement of x. We write y
i
to denote the i-th bit of y.
For example, given the bitstring y = 0x03, y
0
= y
1
= 0
and y
6
= y
7
= 1. We denote encryptions by {}.
3.1 Functionality
Access to the Hitag2 memory contents is determined by
pre-congured security policies. Hitag2 transponders of-
fer up to three different modes of operation:
1. In public mode the contents of the user data pages
are simply broadcast by the transponder once it is
powered up.
2. In password mode reader and transponder authen-
ticate each other by interchanging their passwords.
Communication is carried out in the clear, therefore
this authentication procedure is vulnerable to replay
attacks.
3. In crypto mode the reader and the transponder per-
form a mutual authentication by means of a 48-bit
shared key. Communication between reader and
transponder is encrypted using a proprietary stream
cipher. This mode is used in car immobilizer sys-
tems and will be the focus of this paper.
3.2 Memory
Hitag2 transponders have a total of 256 bits of non-
volatile memory (EEPROM) organized in 8 blocks of
4 bytes each. Figure 8 illustrates the memory contents
of a transponder congured in crypto mode. Block 0
stores the read-only transponder identier; the secret key
is stored in blocks 1 and 2; the password and congur-
ation bits in block 3; blocks 4 till 7 store user dened
memory. Access to any of the memory blocks in crypto
mode is only granted to a reader after a successful mutual
authentication.
Block Contents
0 transponder identier id
1 secret key low k
0
. . . k
31
2 secret key high k
32
. . . k
47
reserved
3 conguration password
4 7 user dened memory
Figure 8: Hitag2 memory map in crypto mode [36]
3.3 Communication
The communication protocol between the reader and
transponder is based on the master-slave principle. The
reader sends a command to the transponder, which then
responds after a predened period of time. There are ve
different commands: authenticate, read, read, write and
halt. As shown in Figure 9, the authenticate command
has a xed length of 5 bits, whereas the others have a
length of at least 10 bits. Optionally, these 10 bits can
be extended with a redundancy message of size multiple
of 5 bits. A redundancy message is composed by the
bit-complement of the last ve bits of the command. Ac-
cording to the datasheet [36] this feature is introduced to
achieve a higher condence level.
In crypto mode the transponder starts in a halted state
and is activated by the authenticate command. After a
successful authentication, the transponder enters the act-
ive state in which it only accepts active commands which
are encrypted. Every encrypted bit that is transferred
consists of a plaintext bit XOR-ed with one bit of the
keystream. The active commands have a 3-bit argument
n which represents the offset (block number) in memory.
From this point we address Hitag2 active commands by
referring to commands and explicitly mention authentic-
ation otherwise.
Command Bits State
authenticate 11000 halted
read 11n
0
n
1
n
2
00n
0
n
1
n
2
. . . active
read 01n
0
n
1
n
2
10n
0
n
1
n
2
. . . active
write 10n
0
n
1
n
2
01n
0
n
1
n
2
. . . active
halt 00n
0
n
1
n
2
11n
0
n
1
n
2
. . . active
Figure 9: Hitag2 commands using block number n
Next we dene the function cmd which constructs a
bit string that represents a command c on block n with r
redundancy messages.
Denition 3.1. Let c be the rst 2-bit command as
dened in Figure 9, n be a 3-bit memory block number
5
and r be the number of redundancy messages. Then, the
function cmd : F
2
2
F
3
2
NF
(10+5r)
2
is dened by
cmd(c, n, 0) = cncn
cmd(c, n, r +1) =

cmd(c, n, r)cn, r is odd;

cmd(c, n, r)cn, otherwise.
For example, the command to read block 0 with two re-
dundancy messages results in the following bit string.
cmd(11, 0, 2) =11000 00111 11000 00111
The encrypted messages between reader and transponder
are transmitted without any parity bits. The transponder
response always starts with a prex of ve ones, see Fig-
ure 10. In the remainder of this paper we will omit this
prex. A typical forward and backwards communication
takes about 12 ms.
{11000001111100000111}

11111{id
0
. . . id
31
}

Figure 10: Message ow for reading memory block 0

3.4 Cipher
In crypto mode, the communication between transponder
and reader (after a sucessful authentication) is encrypted
with the Hitag2 stream cipher. This cipher has been re-
verse engineered in [47]. The cipher consists of a 48-bit
linear feedback shift register (LFSR) and a non-linear l-
ter function f . Each clock tick, twenty bits of the LFSR
are put through the lter function, generating one bit of
keystream. Then the LFSR shifts one bit to the left, us-
ing the generating polynomial to generate a new bit on
the right. See Figure 11 for a schematic representation.
Denition 3.2. The feedback function L: F
48
2
F
2
is
dened by L(x
0
. . . x
47
) := x
0
x
2
x
3
x
6
x
7
x
8

x
16
x
22
x
23
x
26
x
30
x
41
x
42
x
43
x
46
x
47
.
The lter function f consists of three different circuits
f
a
, f
b
and f
c
which output one bit each. The circuits f
a
and f
b
are employed more than once, using a total of
twenty input bits from the LFSR. Their resulting bits are
used as input for f
c
. The circuits are represented by three
boolean tables that contain the resulting bit for each in-
put.
Denition 3.3 (Filter function). The lter function
f : F
48
2
F
2
is dened by
f (x
0
. . . x
47
) = f
c
( f
a
(x
2
x
3
x
5
x
6
), f
b
(x
8
x
12
x
14
x
15
),
f
b
(x
17
x
21
x
23
x
26
), f
b
(x
28
x
29
x
31
x
33
),
f
a
(x
34
x
43
x
44
x
46
)),
where f
a
, f
b
: F
4
2
F
2
and f
c
: F
5
2
F
2
are
f
a
(i) = (0xA63C)
i
f
b
(i) = (0xA770)
i
f
c
(i) = (0xD949CBB0)
i
.
For future reference, note that each of the building blocks
of f (and hence f itself) has the property that it outputs
zero for half of the possible inputs (respectively one).
Remark 3.4 (Cipher schematic). Figure 11 is different
from the schematic that was introduced by [47] and later
used by [14, 19, 44, 45]. The input bits of the lter func-
tion in Figure 11 are shifted by one with respect to those
of [47]. The lter function in the old schematic repres-
ents a keystreambit at the previous state f (x
i1
. . . x
i+46
),
while the one in Figure 11 represents a keystream bit of
the current state f (x
i
. . . x
i+47
). Furthermore, we have
adapted the boolean tables to be consistent with our
notation.
3.5 Authentication protocol
The authentication protocol used in Hitag2 in crypto
mode, reversed engineered and published online in
2007 [47], is depicted in Figure 12. The reader starts the
communication by sending an authenticate command,
to which the transponder answers by sending its identi-
er id. From this point on, communication is encryp-
ted, i.e., XOR-ed with the keystream. The reader re-
sponds with its encrypted challenge n
R
and the answer
a
R
= 0xFFFFFFFF also encrypted to prove knowledge
of the key; the transponder nishes with its encrypted
answer a
T
(corresponding to block 3 in Fig. 8) to the
challenge of the reader.
authenticate

id

{n
R
}{a
R
}

{a
T
}

Figure 12: Hitag2 authentication protocol

During the authentication protocol, the internal state
of the stream cipher is initialized. The initial state con-
sists of the 32-bits identier concatenated with the rst
16 bits of the key. Then reader nonce n
R
XORed with the
last 32 bits of the key is shifted in. During initialization,
the LFSR feedback is disabled. Since communication is
encrypted from n
R
onwards, the encryption of the later
bits of n
R
are inuenced by its earlier bits. Authentica-
tion is achieved by reaching the same internal state of the
cipher after shifting in n
R
.
6
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
oo

oo

fa =0xA63C f
b
=0xA770 f
b
=0xA770 f
b
= 0xA770 fa = 0xA63C

fc =0xD949CBB0
keystream

Figure 11: Structure of the Hitag2 stream cipher, based on [47]

3.6 Cipher Initialization
The following precisely denes the initialization of the
cipher and the generation of the LFSR-stream a
0
a
1
. . .
and the keystream b
0
b
1
. . . .
Denition 3.5. Given a key k = k
0
. . . k
47
F
48
2
, an
identier id = id
0
. . . id
31
F
32
2
, a reader nonce n
R
=
n
R
0
. . . n
R
31
F
32
2
, a reader answer a
R
= a
R
0
. . . a
R
31

F
32
2
, and a transponder answer a
T
= a
T
0
. . . a
T
31
F
32
2
,
the internal state of the cipher at time i is
i
:=
a
i
. . . a
47+i
F
48
2
. Here the a
i
F
2
are given by
a
i
:= id
i
i [0, 31]
a
32+i
:= k
i
i [0, 15]
a
48+i
:= k
16+i
n
R
i
i [0, 31]
a
80+i
:= L(a
32+i
. . . a
79+i
) i N .
Furthermore, we dene the keystream bit b
i
F
2
at time
i by
b
i
:= f (a
i
. . . a
47+i
) i N .
Dene {n
R
}, {a
R
}
i
, {a
T
}
i
F
2
by
{n
R
}
i
:= n
R
i
b
i
i [0, 31]
{a
R
}
i
:= a
R
i
b
32+i
i [0, 31]
{a
T
}
i
:= a
T
i
b
64+i
i [0, 31].
Note that the a
i
,
i
, b
i
, {n
R
}
i
, {a
R
}
i
, and {a
T
}
i
are form-
ally functions of k, id, and n
R
. Instead of making this ex-
plicit by writing, e.g., a
i
(k, id, n
R
), we just write a
i
where
k, id, and n
R
are clear from the context.
3.7 Rollback
To recover the key it is sufcient to learn the internal state
of the cipher
i
at any point i in time. Since an attacker
knows id and {n
R
}, the LFSR can then be rolled back to
time zero.
Denition 3.6. The rollback function R: F
48
2
F
2
is
dened by R(x
1
. . . x
48
) := x
2
x
3
x
6
x
7
x
8
x
16

x
22
x
23
x
26
x
30
x
41
x
42
x
43
x
46
x
47
x
48
.
If one rst shifts the LFSR left using L to generate a
new bit on the right, then R recovers the bit that dropped
out on the left, i.e.,
R(x
1
. . . x
47
L(x
0
. . . x
47
)) = x
0
. (1)
Theorem 3.7. In the situation from Denition 3.5, we
have
a
32+i
= R(a
33+i
. . . a
80+i
) i N
a
i
= id
i
i [0, 31] .
Proof. Straightforward, using Denition 3.5 and Equa-
tion (1).
If an attacker manages to recover the internal state of
the LFSR
i
= a
i
a
i+1
. . . a
i+47
at some time i, then she
can repeatedly apply Theorem 3.7 to recover a
0
a
1
. . . a
79
and, consequently, the keystream b
0
b
1
b
2
. . .. By having
eavesdropped {n
R
} from the authentication protocol, the
adversary can further calculate
n
R
i
= {n
R
}
i
b
i
i [0, 31] .
Finally, the adversary can compute the secret key as fol-
lows
k
i
= a
32+i
i [0, 15]
k
16+i
= a
48+i
n
R
i
i [0, 31] .
4 Hitag2 weaknesses
This section describes three weaknesses in the design of
Hitag2. The rst one is a protocol aw while the last two
concern the ciphers design. These weaknesses will later
be exploited in Section 5.
4.1 Arbitrary length keystream oracle
This weakness describes that without knowledge of the
secret key, but by having only one authentication at-
tempt, it is possible to gather an arbitrary length of key-
stream bits from the transponder. Section 3.3 describes
the reader commands that can modify or halt a Hitag2
transponder. As mentioned in Denition 3.1 it is pos-
sible to extend the length of such a command with a
multiple of ve bits. A 10-bit command can have an op-
tional number of redundancy messages r so that the total
bit count of the message is 10 +5r bits. Due to power
and memory constraints, Hitag2 seems to be designed
7
to communicate without a send/receive buffer. There-
fore, all cipher operations are performed directly at ar-
rival or transmission of bits. Experiments show that a
Hitag2 transponder successfully accepts encrypted com-
mands from the reader which are sent with 1000 redund-
ancy messages. The size of such a command consists of
10 +5 1000 = 5010 bits.
Since there is no challenge from the transponder it
is possible to replay any valid {n
R
}{a
R
} pair to the
transponder to achieve a successful authentication. After
receiving a
T
, the internal state of the transponder is ini-
tialized and waits for an encrypted command from the
reader as dened in Figure 9. Without knowledge of the
keystream bits b
96
b
97
. . . and onwards, all possible com-
binations need to be evaluated. A command consist of
at least 10 bits, therefore there are 2
10
possibilities. Each
command requires a 3-bit parameter containing the block
number. Both read and read receive a 32-bit response,
while the write and halt have a different response length.
Hence, when searching for 10-bit encrypted commands
that get a 32-bit response there are exactly 16 out of the
2
10
values that match. On average the rst read com-
mand is found after 32 attempts, the complement of this
read and its parameters are a linear difference and there-
fore take only 15 attempts more.
cmd(11, 0, 0) b
96
. . . b
105

id b
106
. . . b
137

Figure 13: Read id without redundancy messages

One of the 16 guesses represents the encrypted bits of
the read command on the rst memory block. This block
contains the id which is known plaintext since it is trans-
mitted in the clear during the authentication. Therefore,
there is a guess such that the communicated bits are equal
to the messages in Figure 13.
With the correct guess, 40 keystream bits can be re-
covered. This keystreamis then used to encrypt a slightly
modied read command on block 0 with six redundancy
messages, as explained in Section 3.3. The transpon-
der responds with the next 32-bit of keystream which
are used to encrypt the identier as shown in Figure
14. Hence the next 30 keystream bits were retrieved us-
ing previously recovered keystreamand by extending the
read command.
This operation can be repeated many times. For ex-
ample, using the recovered keystream bits b
96
. . . b
167
it
is possible to construct a 70-bit read command with 12
redundancy messages etc. In practice it takes less than 30
seconds to recover 2048 bits of contiguous keystream.
cmd(11, 6, 0) b
96
. . . b
135

id b
136
. . . b
167

Figure 14: Read id using 6 redundancy messages

4.2 Dependencies between sessions
Section 3.6 shows that at cipher state
79
the cipher is
fully initialized and from there on the cipher only pro-
duces keystream. This shows that the 48-bit internal state
of the cipher is randomized by a reader nonce n
R
of only
32 bits. Consequently, at state
79
, only LFSR bits 16
to 47 are affected by the reader nonce. Therefore LFSR
bits 0 to 15 remain constant throughout different session
which gives a strong dependency between them. These
16 session persistent bits correspond to bits k
0
. . . k
15
of
the secret key.
4.3 Low degree determination of the lter
function
The lter function f : F
48
2
F
2
consists of three build-
ing blocks f
a
, f
b
and f
c
arranged in a two layer structure,
see Figure 11. Due to this particular structure, input bits
a
34
. . . a
47
only affect the rightmost input bit of f
c
. Fur-
thermore, simple inspection of f
c
shows that in 8 out of
32 congurations of the input bits, the rightmost input
bit has no inuence on the output of f
c
. In those cases
the output of f
c
is determined by its 4-leftmost input bits.
Furthermore, this means that with probability 1/4 the l-
ter function f is determined by the 34-leftmost bits of
the internal state. The following theorem states this pre-
cisely.
Theorem 4.1. Let X be a uniformly distributed variable
over F
34
2
. Then
P[Y,Y

F
14
2
: f (XY) = f (XY

)] = 1/4.
Proof. By inspection.
Denition 4.2. The function that checks for this property
P: F
48
2
F
2
is dened by
P(x
0
. . . x
47
) = (0x84D7)
i
where
i = f
a
(x
2
x
3
x
5
x
6
) f
b
(x
8
x
12
x
14
x
15
)
f
b
(x
17
x
21
x
23
x
26
) f
b
(x
28
x
29
x
31
x
33
).
Because P(x
0
. . . x
47
) only depends on x
0
. . . x
33
we shall
overload notation and see P() as a function F
34
2
F
2
,
writing P(x
0
. . . x
47
) as P(x
0
. . . x
33
0
14
).
8
5 Attacks
This section describes three attacks against Hitag2. The
rst attack is straightforward and grants an adversary
read and write access to the memory of the transponder.
The cryptanalysis described in the second attack recovers
the secret key after briey communicating with the car
and the transponder. This attack uses a general technique
that can be applied to other LFSR-like stream ciphers.
The third attack describes a custom cryptanalysis of the
Hitag2 cipher. It only requires a few authentication at-
tempts from the car and allows an adversary to recover
the secret key with a computational complexity of 2
35
op-
erations. The last two attacks allow a trade-off between
time/memory/data and time/traces respectively. For the
sake of simplicity we describe these attacks with con-
crete values that are either optimal or what we consider
sensible in view of currently available hardware.
5.1 Malleability attack
This attack exploits the arbitrary length keystream or-
acle weakness described in Section 4.1, and the fact that
during the authentication algorithm the transponder does
not provide any challenge to the reader. This notorious
weaknesses allow an adversary to rst acquire keystream
and then use it to read or write any block on the card with
constant communication and computational complexity.
After the recovery of the keystream bits b
96
. . . b
137
as
shown in Figure 13 an adversary can dump the complete
memory of the transponder which includes its password.
Recovery of the keystream and creating a memory dump
from the transponder takes in total less than one second
and requires only to be in proximity distance of the vic-
tim. This shows a similar scenario to [22] where Garcia
et al. show how to wirelessly pickpocket a MIFARE
Classic card from the victim.
The memory blocks where the cryptographic key is
stored have an extra optional protection mechanism.
There is a one time programable conguration bit which
determines whether these blocks are readable or not.
If the reader tries to read a protected block, then the
transponder does not respond. In that case the adversary
can still use the attacks presented in Section 5.2 and Sec-
tion 5.3. If the transponder is not correctly congured,
it enables an adversary to read all necessary data to start
the car.
5.2 Time/memory tradeoff attack
This attack is very general and it can be applied to any
LFSR-based stream cipher as long as enough contigu-
ous keystream is available. This is in fact the case with
Hitag2 due to the weakness described in Section 4.1. It
extends the methods of similar time/memory tradeoffs
articles published over the last decades [3, 6, 7, 11, 25,
38]. This attack requires communication with the reader
and the transponder. The next proposition introduces a
small trick that makes it possible to quickly perform n
cipher steps at once. Intuitively, this proposition states
that the linear difference between a state s and its n-th
successor is a combination of the linear differences gen-
erated by each bit. This will be later used in the attack.
Proposition 5.1. Let s be an LFSR state and n N. Fur-
thermore, let d
i
= suc
n
(2
i
) i.e., the LFSR state that res-
ults from running the cipher n steps from the state 2
i
.
Then
suc
n
(s) =
47

i=0
(d
i
s
i
).
To perform the attack the adversary A proceeds as fol-
lows:
1. Only once, A builds a table containing 2
37
entries.
Each entry in the table is of the form ks, s where
s F
48
2
is an LFSR state and ks F
48
2
are 48 bits
of keystream produced by the cipher when running
from s. Starting from some state where s = 0,
the adversary generates 48 bits of keystream and
stores it. Then it uses Theorem 5.1 to quickly
jump n = 2
11
cipher states to the next entry in the
table. This reduces the computational complexity
of building the table from 2
48
to 48 2
37
= 2
42.5
cipher ticks. Moreover, in order to improve lookup
time the table is sorted on ks and divided into
2
24
sub-tables encoded in the directory structure
like /ks_byte1/ks_byte2/ks_byte3.bin
where each ks_byte3.bin le has only 8 KB.
The total size of this table amounts 1.2 TB.
2. A emulates a transponder and runs an authentication
attempt with the target car. Following the authen-
tication protocol, the car answers with a message
{n
R
}{a
R
}.
3. Next, the attacker wirelessly replays this message
to the legitimate transponder and uses the weakness
described in Section 4.1 to obtain 256 bytes of key-
stream ks
0
. . . ks
2048
. Note that this might be done
while the key is in the victims bag or pocket.
4. The adversary sets i = 0.
5. Then it looks up (in logarithmic time) the keystream
ks
i
. . . ks
i+47
in the table from step 1.
6. If the keystreamis not in the table then it increments
i and goes back to step 5. If there is a match, then
the corresponding state is a candidate internal state.
A uses the rest of the keystream to conrm is this is
the internal state of the cipher.
9
7. Finally, the adversary uses Theorem 3.7 to rollback
the cipher state and recover the secret key.
Complexity and time. In step 1 the adversary needs to
pre-compute a 1.2 TB table which requires 2
42.5
cipher
ticks, which is equal to 2
37
encryptions. During gener-
ation, each entry is stored directly in the corresponding
.bin le as mentioned before. Each of these 8 KB les
also needs to be sorted but it only takes a few minutes
to sort them all. Computing and sorting the whole table
takes less than one day on a standard laptop. Steps 2-3
take about 30 seconds to gather the 256 bytes of key-
stream from the transponder. Steps 4-6 require (in worst
case) 2000 table lookups which take less than 30 seconds
on a standard laptop. This adds to a total of one minute
to execute the attack from begin to end.
5.3 Cryptanalytic attack
A combination of the weaknesses described in Section
4.2 and 4.3 enable an attacker to recover the secret key
after gathering a few authentication attempts from a car.
In case that identier white-listing is used as a second-
ary security measure, which is in fact the case for all the
cars we tested, the adversary rst needs to obtain a valid
transponder id, see Section 7.5.
The intuition behind the attack is simple. Suppose that
an adversary has a guess for the rst 34 bits of the key.
One out of four traces is expected to have the property
from Theorem 4.1 which enables the adversary to per-
form a test on the rst bit of {a
R
}. The dependencies
between sessions described in Section 4.2 allow the at-
tacker to performthis test many times decreasing drastic-
ally the amount of candidate (partial) keys. If an attacker
gathers 136 traces this allows her (on average) to perform
136/4 = 34 bit tests, i.e. just as much as key bits were
guessed. For the small amount of candidate keys that
pass these tests (typically 2 or 3), the adversary performs
an exhaustive search for the remaining 14 bits of the key.
A precise description of this attack follows.
1. The attacker uses a transponder emulator (like the
Proxmark III) to initiate 136 authentication attempts
with the car using a xed transponder id. In this
way the attacker gathers 136 traces of the form
{n
R
}{a
R
}. Next the attacker starts searching for
the secret key. For this we split the key k in three
parts k =

k

k where

k =k
0
. . . k
15
,

k =k
16
. . . k
33
, and

k = k
34
. . . k
47
.
2. for each

k = k
0
. . . k
15
F
16
2
the attacker builds a
table T

k
containing entries
y b
0
. . . b
17
, b
32
,

ky
for all y F
18
2
such that P(

ky0
14
) =1. Note that the
expected size of this table is 2
18
1/4 = 2
16
which
easily ts in memory.
3. For each

k = k
16
. . . k
33
F
18
2
and for each
trace {n
R
}{a
R
}, the attacker sets z :=

k
{n
R
}
0
. . . {n
R
}
17
. If there is an entry in T

k
for which
y b
0
. . . b
17
equals z but b
32
= {a
R
}
0
then the at-
tacker learns that

k is a bad guess, so he tries the
next one. Otherwise, if b
32
= {a
R
}
0
then

k is still
a viable guess and therefore the adversary tries the
next trace.
4. Each

k

k that passed the test for all traces is a partial

candidate key. For each such candidate (typically 2
or 3), the adversary performs an exhaustive search
for the remaining key bits

k = k
34
. . . k
47
. For each
full candidate key, the adversary decrypts two traces
and checks whether both {a
R
} decrypt to all ones as
specied in the authentication protocol. If a candid-
ate passes this test then it is the secret key. If none
of them passes then the adversary goes back to Step
2 and tries the next

k.
Complexity and time. In step 1, the adversary needs to
gather 136 partial authentication traces. This can be done
within 1 minute using the Proxmark III. In steps 2 and 3,
the adversary needs to build 2
16
tables. For each of these
tables the adversary needs to compute 2
18
encryptions
plus 2
18
table lookups. Step 4 has negligible complex-
ity thus we ignore it. This adds to a total complexity of
2
16
(2
18
+2
18
) = 2
35
encryptions/lookups. Note that
it is straightforward to split up the search space of

k in
as many processes as you wish. On an standard quad-
core laptop this computation takes less than ve minutes.
Therefore, the whole attack can be performed in less than
360 seconds which explains the title of the paper.
This attack is faster than other practical attacks pro-
posed in [14, 45]. The following table shows a com-
parison between this attack and other attacks from the
literature.
Attack Description Practical Computation Traces Time
[45] brute-force yes 2102400 min 2 4 years
[14] sat-solver yes 2880 min 4 2 days
[42] sat-solver no
1
386 min N/A N/A
[44] cube no
2
1 min 500 N/A
Our cryptanalytic yes 5 min 136 6 min
1
Soos et al. require 50 bits of contiguous keystream.
2
Sun et al. require control over the encrypted reader nonce {n
R
}
Figure 15: Comparison of attack times and requirements
10
Figure 16: Left: Authentication failure message
Right: Successful authentication using a Proxmark III
6 Starting a car
In order to elaborate on the practicality of our attacks,
this section describes our experience with one concrete
vehicle. For this we have chosen a German car, mainly
due to the fact that it has keyless ignition. Instead of
the typical mechanical key, this car has a hybrid re-
mote control which contains a Hitag2 transponder. In
the dashboard of the car there is a slot to insert the re-
mote and a button to start the engine. When a piece
of plastic of suitable size is inserted in this slot the car
repeatedly attempts to authenticate the transponder (and
fails). This car uses an identier white-list as described
in Section 7.5. The same section explains how to wire-
lessly pickpocket a valid identier from the victims re-
mote. As soon as the car receives a valid identier, the
dashboard lights up and the LCDscreen pops-up display-
ing the message shown in Figure 16-Left. Note also the
sign on the dashboard. At this point we used the Prox-
mark to quickly gather enough traces and execute the at-
tack from Section 5.3 to recover the secret key. This car
is one of the few that we tested that does not have a pre-
dictable password so we wirelessly read it from the vic-
tims remote. Then we use the Proxmark to emulate the
transponder. Figure 16-Right shows that the car accepts
the Proxmark as if it was the legitimate transponder. The
same picture shows (by looking at the tachometer) that at
this stage it is possible to start the engine.
7 Implementation weaknesses
To verify the practicality of our attacks, we have tested
all three of them on at least 20 different car models
from various makes. During our experiments we found
that, besides the weaknesses in cipher and protocol, the
transponder is often miscongured and poorly integrated
in the cars. Most of the cars we tested use a default
or predictable transponder password. Some generate
nonces with a very low entropy. Most car keys have
vehicle-dependant information stored in the user dened
memory of the transponder, but none of the tested cars
actually check this data. Some cars use Hitag2 for key-
less ignition systems, which are more vulnerable because
they lack a physical key. This section summarizes some
of the weaknesses we found during our practical experi-
ments. Especially, Section 7.4 shows the implications of
the attack described in Section 5.3 when the transponder
uses a predictable password. Section 7.5 describes how
to circumvent identier white-listing. This is an addi-
tional security mechanism which is often used in vehicle
immobilizers.
7.1 Weak random number generators
From the cars we tested, most pseudo-random number
generators (PRNG) use the time as a seed. The time in-
tervals do not have enough precision. Multiple authen-
tication attempts within a time frame of one second get
the same random number. Even worse, we came across
two cars which have a PRNG with dangerously low en-
tropy. The rst one, a French car (A), produces nonces
with only 8 bits of entropy, by setting 24 of the 32 bits
always to zero as shown in Figure 17.
Origin Message Description
CAR 18 authenticate
TAG 39 0F 20 10 id
CAR 0A 00 00 00 23 71 90 14 {n
R
}{a
R
}
TAG 27 23 F8 AF {a
T
}
CAR 18 authenticate
TAG 39 0F 20 10 id
CAR 56 00 00 00 85 CA 95 BA {n
R
}{a
R
}
TAG 38 07 50 C5 {a
T
}
Figure 17: Random numbers generated by car A
11
Another French car (B), produced random looking
nonces, but in fact, the last nibble of each byte was de-
termined by the last nibble of the rst byte. A subset of
these nonces are shown shown in Figure 18.
{n
R
} {a
R
}
20 D1 0B 08 56 36 F3 66
70 61 1B 58 1B 18 F3 38
B0 A1 5B 98 1E 94 62 3A
D0 41 FB B8 01 3B 54 10
25 1A 3C AD 15 88 5E 19
05 7A 9C 8D F7 4D F7 70
C5 3A 5C 4D 30 B1 4A D4
E5 DA FC 6D D8 BD 79 C3
Figure 18: Random numbers generated by car B
7.2 Low entropy keys
Some cars have repetitive patterns in their keys which
makes them vulnerable to dictionary attacks. Recent
models of a Korean car (C) use the key with the lowest
entropy we came across. It tries to access the transpon-
der in password mode as well as in crypto mode. For this
it uses the default password MIKR and a key of the form
0xFFFF FFas shown in Figure 19.
Origin Message Description
CAR 18 authenticate
TAG E4 13 05 1A id
CAR 4D 49 4B 52 password = MIKR
CAR 18 authenticate
TAG E4 13 05 1A id
CAR DA 63 3D 24 A7 19 07 12 {n
R
}{a
R
}
TAG EC 2A 4B 58 {a
T
}
Figure 19: Car C authenticates using the default pass-
word and secret key 0xFFFF814632FF
7.3 Readable keys
Section 5.1 shows how to recover the memory dump
of a Hitag2 transponder. Almost all makes protect the
secret key against read operations by setting the bits of
the conguration in such a way that block one and two
are not readable. Although there are some exceptions.
For example, experiments show that most cars from a
French manufacturer have not set this protection bit. This
enables an attacker to recover the secret key in an in-
stant. Even more worrying, many of these cars have
the optional feature to use a remote key-less entry sys-
tem which have a much wider range and are therefore
more vulnerable to wireless attacks. The combination
of a transponder that is wirelessly accessible over a dis-
tance of several meters and a non protected readable key
is most worrying.
7.4 Predictable transponder passwords
The transponder password is encrypted and sent in the
transponder answer a
T
of the authentication protocol.
This is an additional security mechanism of the Hitag2
protocol apart from the cryptographic algorithm. Be-
sides the fact that the transponder proves knowledge of
the secret key, it sends its password encrypted. In general
it is good to have some fall back scenario and counter-
measure if the used cryptosystem gets broken. Section
5.3 demonstrates how to recover the secret key from a
vehicle. But to start the engine, it is necessary to know
the transponder password as well. Experiments show
that at least half of the cars we tested on use default or
predictable passwords.
7.5 Identier pickpocketing
The rst generation of vehicle immobilizers were
not able to compute any cryptographic operations.
These transponders were simply transmitting a constant
(unique) identier over the RF channel. Legitimate
transponder identiers were white-listed by the vehicle
and only those transponders in the white-list would en-
able the engine to start. Most immobilizer units in cars
still use such white-listing mechanism, which is actually
encouraged by NXP. These cars would only attempt to
authenticate transponders in their white-list. This is an
extra obstacle for an attacker, namely recovering a genu-
ine identier fromthe victimbefore being able to execute
any attack. There are (at least) two ways for an adversary
to wirelessly pickpocket a Hitag2 identier:
One option is to use the low-frequency (LF) inter-
face to wirelessly pickpocket the identier from the
victims key. This can be done within proximity
distance and takes only a few milliseconds. Accord-
ing to the Hitag2 datasheet [36], the communication
range of a transponder is up to one meter. Although,
Hitag2 transponders embedded into car keys are op-
timized for size and do not achieve such a commu-
nication distance. However, an adversary can use
tuned equipment with big antennas that ignore ra-
diation regulations (e.g., [17]) in order to reach a
larger reading distance. Many examples in the lit-
erature show the simplicity and low-cost of such a
setup [24, 30, 31, 43].
Another option is to use the wide range ultra-high
frequency (UHF) interface. For this an adversary
needs to eavesdrop the transmission of a hybrid
12
Hitag2 transponder [39] when the victim presses a
button on the remote (e.g. to close the doors). Most
keyless entry transponders broadcast their identier
in the clear on request (see for example [39]).
With respect to the LF interface, the UHF interface has
a much wider transmission range. As shown in [18] it
is not hard to eavesdrop such a transmission from a dis-
tance of 100 meters. Froma security perspective, the rst
generation Hitag2 transponders have a physical advant-
age over the hybrid transponders since they only support
the LF interface.
8 Mitigation
This section briey discusses a simple but effective au-
thentication protocol for car immobilizers and it also de-
scribes a number of mitigating measures for the attacks
proposed in Section 5. For more details we refer the
reader to [1, 9].
First of all we emphasize that it is important for the
automotive industry to migrate from weak proprietary
ciphers to a peer-reviewed one such as AES [15], used
in cipher block chaining mode (CBC). A straightfor-
ward mutual authentication protocol is sketched in Fig-
ure 20. The random nonces n
R
, n
T
, secret key k and
transponder password PWD
T
should be at least 128 bits
long. Comparable schemes are proposed in the literat-
ure [32, 33, 46, 48, 49].
authenticate

id, n
T

{n
R
, n
T
}
k

{n
R
, PWD
T
}
k

Figure 20: Immobilizer authentication protocol using

AES
There are already in the market immobilizer transpon-
ders which implement AES like the ATA5795[2] from
Atmel and the Hitag AES / Pro[37] from NXP. It should
be noted that, although they use a peer-reviewed encryp-
tion algorithm, their authentication protocol is still pro-
prietary and therefore lacks public and academic scru-
tiny.
In order to reduce the applicability of our crypto-
graphic attack, the automotive industry could consider
the following measures. This attack is the most sensitive
as it does not require access to the car key. These coun-
termeasures should be interpreted as palliating (but not a
solution) before migrating to a more secure and openly
designed product.
Extend the transponder password
The transponder password is an important part of
the authentication protocol but grievously it has
only an entropy of 24 bits. Such a password is
easy to nd via exhaustive search. Furthermore,
as we mentioned in Section 7.4, manufacturers of-
ten deployed their cars with predictable transpon-
der passwords. As shown in Figure 8, there are
four pages available of user dened memory in a
Hitag2 transponder. These could be used to extend
the transponder password with 128 bits of random
data to increase its entropy. This implies that an
adversary needs to get access to the transponders
memory before being able to steal a car.
Delay authentication after failure
The cryptographic car-only attack explained in Sec-
tion 5.3 requires several authentication attempts to
reduce the computational complexity. Extending
the time an adversary needs to gather these traces
increases the risk of being caught. To achieve
this, the immobilizer introduces a pause before re-
authenticating that grows incrementally or exponen-
tially with the number of sequential incorrect au-
thentications. An interesting technique to imple-
ment such a countermeasure is proposed in [40].
The robustness, availability and usability of the
product is affected by this delay, but it increases the
attack time considerably and therefore reduces the
risk of car theft.
Besides these measures, it is important to improve the
pseudo-random number generator in the vehicles which
is used to generate reader nonces. Needless to say, the
same applies to cryptographic keys and transponder pass-
words. NIST has proposed a statistical test suite which
can be used to verify the quality of a pseudo-random
number generator [41].
9 Conclusions
We have found many serious vulnerabilities in the Hitag2
and its usage in the automotive industry. In particular,
Hitag2 allows replaying reader data to the transponder;
provides an unlimited keystream oracle and uses only
one low-entropy nonce to randomize a session. These
weaknesses allow an adversary to recover the secret key
within seconds when wireless access to the car and key
is available. When only communication with the car is
possible, the adversary needs less than six minutes to
recover the secret key. The cars we tested use identi-
er white-listing. To circumvent this, the adversary rst
needs to obtain a valid transponder id by other means
e.g., eavesdrop it when the victim locks the doors. This
13
UHF transmission can be intercepted from a distance of
100 meters [18]. We have executed all our attacks (from
Section 5) in practice within the claimed attack times.
We have experimented with more than 20 vehicles of
various makes and models and found also several imple-
mentation weaknesses.
In line with the principle of responsible disclosure, we
have notied the manufacturer NXP six months before
disclosure. We have constructively collaborated with
NXP, discussing mitigating measures and giving them
feedback to help improve the security of their products.
10 Acknowledgments
The authors would like to thank Bart Jacobs for his
rm support in the background. We are also thankful
to E. Barendsen, L. van den Broek, J. de Bue, Y. van
Dalen, E. Gouwens, R. Habraken, I. Haerkens, S. Hop-
penbrouwers, K. Koster, S. Meeuwsen, J. Reule, J. Re-
ule, I. Roggema, L. Spix, C. Terheggen, M. Vaal, S. Ver-
nooij, U. Zeitler, B. Zwanenburg, and those who prefer to
remain anonymous for (bravely) volunteering their cars
for our experiments.
References
[1] Ross J. Anderson. Security Engineering: A guide
to building dependable distributed systems. Wiley,
2010.
[2] Atmel. Embedded avr microcontroller including rf
transmitter and immobilizer lf functionality for re-
mote keyless entry - ATA5795, 2010.
[3] Steve Babbage. A space/time tradeoff in exhaust-
ive search attacks on stream ciphers. In European
Convention on Security and Detection, volume 408
of Conference Publications, pages 161166. IEEE
Computer Society, 1995.
[4] Josep Balasch, Benedikt Gierlichs, Roel Verdult,
Lejla Batina, and Ingrid Verbauwhede. Power ana-
lysis of Atmel CryptoMemory - recovering keys
from secure EEPROMs. In 12th Cryptograph-
ers Track at the RSA Conference (CT-RSA 2012),
volume 7178 of Lecture Notes in Computer Sci-
ence, pages 1934. Springer-Verlag, 2012.
[5] Alex Biryukov, Ilya Kizhvatov, and Bin Zhang.
Cryptanalysis of the Atmel cipher in Secure-
Memory, CryptoMemory and CryptoRF. In 9th Ap-
plied Cryptography and Network Security (ACNS
2011), pages 91109. Springer-Verlag, 2011.
[6] Alex Biryukov, Sourav Mukhopadhyay, and Palash
Sarkar. Improved time-memory trade-offs with
multiple data. In 13th International Workshop
on Selected Areas in Cryptography (SAC 2006),
volume 3897 of Lecture Notes in Computer Sci-
ence, pages 110127. Springer-Verlag, 2006.
[7] Alex Biryukov and Adi Shamir. Cryptanalytic
time/memory/data tradeoffs for stream ciphers. In
6th International Conference on the Theory and
Application of Cryptology and Information Secur-
ity, Advances in Cryptology (ASIACRYPT 2000),
volume 1976 of Lecture Notes in Computer Sci-
ence, pages 113. Springer-Verlag, 2000.
[8] Andrey Bogdanov. Linear slide attacks on the Kee-
Loq block cipher. In Information Security and
Cryptology (INSCRYPT 2007), volume 4990 of
Lecture Notes in Computer Science, pages 6680.
Springer, 2007.
[9] Andrey Bogdanov and Christof Paar. On the se-
curity and efciency of real-world lightweight au-
thentication protocols. In 1st Workshop on Se-
cure Component and System Identication (SECSI
2008). ECRYPT, 2008.
[10] Stephen C. Bono, Matthew Green, Adam Stubble-
eld, Ari Juels, Aviel D. Rubin, and Michael
Szydlo. Security analysis of a cryptographically-
enabled RFID device. In 14th USENIX Security
Symposium (USENIX Security 2005), pages 116.
USENIX Association, 2005.
[11] Johan Borst, Bart Preneel, Joos Vandewalle, and
Joos V. On the time-memory tradeoff between ex-
haustive key search and table precomputation. In
19th Symposium in Information Theory in the Be-
nelux, pages 111118, 1998.
[12] Nicolas T. Courtois. The dark side of security by
obscurity - and cloning MIFARE Classic rail and
building passes, anywhere, anytime. In 4th Inter-
national Conference on Security and Cryptography
(SECRYPT 2009), pages 331338. INSTICC Press,
2009.
[13] Nicolas T. Courtois, Gregory V. Bard, and David
Wagner. Algebraic and slide attacks on Kee-
Loq. In 15th International Workshop on Fast Soft-
ware Encryption (FSE 2000), volume 5086 of Lec-
ture Notes in Computer Science, pages 97115.
Springer-Verlag, 2008.
14
[14] Nicolas T. Courtois, Sean ONeil, and Jean-Jacques
Quisquater. Practical algebraic attacks on the
Hitag2 stream cipher. In 12th Information Secur-
ity Conference (ISC 2009), volume 5735 of Lec-
ture Notes in Computer Science, pages 167176.
Springer-Verlag, 2009.
[15] Joan Daemen and Vincent Rijmen. The Design of
Rijndael: AES - The Advanced Encryption Stand-
ard. Springer-Verlag, 2002.
[16] Gerhard de Koning Gans, Jaap-Henk Hoepman,
and Flavio D. Garcia. A practical attack on the MI-
FARE Classic. In 8th Smart Card Research and Ad-
vanced Applications Conference (CARDIS 2008),
volume 5189 of Lecture Notes in Computer Sci-
ence, pages 267282. Springer-Verlag, 2008.
[17] Federal Communications Commission FCC.
Guidelines for evaluating the environmental effects
of radio frequency radiation. Technical report,
Federal Communications Commission FCC, April
2009.
[18] Aur elien Francillon, Boris Danev, and Srdjan

Capkun. Relay attacks on passive keyless entry

and start systems in modern cars. In 18th Network
and Distributed System Security Symposium(NDSS
2011). The Internet Society, 2011.
[19] Flavio D. Garcia, Gerhard de Koning Gans, Ruben
Muijrers, Peter van Rossum, Roel Verdult, Ronny
Wichers Schreur, and Bart Jacobs. Dismantling MI-
FARE Classic. In 13th European Symposium on
Research in Computer Security (ESORICS 2008),
volume 5283 of Lecture Notes in Computer Sci-
ence, pages 97114. Springer-Verlag, 2008.
[20] Flavio D. Garcia, Gerhard de Koning Gans, and
Roel Verdult. Exposing iClass key diversication.
In 5th USENIX Workshop on Offensive Technolo-
gies (USENIX WOOT 2011), pages 128136, San
Francisco, CA, USA, 2011. USENIX Association.
[21] Flavio D. Garcia, Gerhard de Koning Gans, Roel
Verdult, and Milosch Meriac. Dismantling iClass
and iClass Elite. In 17th European Symposium on
Research in Computer Security (ESORICS 2012),
Lecture Notes in Computer Science. Springer-
Verlag, 2012.
[22] Flavio D. Garcia, Peter van Rossum, Roel Verdult,
and Ronny Wichers Schreur. Wirelessly pickpock-
eting a mifare classic card. In 30th IEEE Sym-
posium on Security and Privacy (S&P 2009), pages
315. IEEE Computer Society, 2009.
[23] Flavio D. Garcia, Peter van Rossum, Roel Ver-
dult, and Ronny Wichers Schreur. Dismantling Se-
cureMemory, CryptoMemory and CryptoRF. In
17th ACM Conference on Computer and Commu-
nications Security (CCS 2010), pages 250259.
ACM/SIGSAC, 2010.
[24] Gerhard P. Hancke. Practical attacks on proximity
identication systems (short paper). In 27th IEEE
Symposium on Security and Privacy (S&P 2006),
pages 328333. IEEE Computer Society, 2006.
[25] Martin E. Hellman. A cryptanalytic time-memory
trade-off. IEEE Transactions on Information The-
ory, 26(4):401406, 1980.
[26] Motoki Hirano, Mikio Takeuchi, Takahisa Tomoda,
and Kin-Ichiro Nakano. Keyless entry system with
radio card transponder. IEEE Transactions on In-
dustrial Electronics, 35:208216, 1988.
[27] Sebastiaan Indesteege, Nathan Keller, Orr Dunkel-
mann, Eli Biham, and Bart Preneel. A prac-
tical attack on KeeLoq. In 27th International
Conference on the Theory and Application of
Cryptographic Techniques, Advances in Crypto-
logy (EUROCRYPT 2008), volume 4965 of Lecture
Notes in Computer Science, pages 18. Springer-
Verlag, 2008.
[28] Markus Kasper, Timo Kasper, Amir Moradi, and
Christof Paar. Breaking KeeLoq in a ash: on
extracting keys at lightning speed. In 2nd In-
ternational Conference on Cryptology in Africa,
Progress in Cryptology (AFRICACRYPT 2009),
volume 5580 of Lecture Notes in Computer Sci-
ence, pages 403420. Springer-Verlag, 2009.
[29] Keyline. Transponder guide. http://www.keyline.it/
les/884/transponder guide 16729.pdf, 2012.
[30] Ziv Kr and Avishai Wool. Picking virtual pockets
using relay attacks on contactless smartcard. In 1st
International Conference on Security and Privacy
for Emerging Areas in Communications Networks
(SecureComm2005), pages 4758. IEEE Computer
Society, 2005.
[31] Ilan Kirschenbaum and Avishai Wool. How to
build a low-cost, extended-range RFID skimmer.
In 15th USENIX Security Symposium (USENIX Se-
curity 2006), pages 4357. USENIX Association,
2006.
15
[32] Kerstin Lemke, Ahmad-Reza Sadeghi, and Chris-
tian Stble. An open approach for designing se-
cure electronic immobilizers. In Information Secur-
ity Practice and Experience (ISPEC 2005), volume
3439 of Lecture Notes in Computer Science, pages
230242. Springer-Verlag, 2005.
[33] Kerstin Lemke, Ahmad-Reza Sadeghi, and Chris-
tian St uble. Anti-theft protection: Electronic im-
mobilizers. Embedded Security in Cars, pages 51
67, 2006.
[34] Karsten Nohl. Immobilizer security. In 8th Inter-
national Conference on Embedded Security in Cars
(ESCAR 2010), 2010.
[35] Karsten Nohl, David Evans, Starbug, and Henryk
Pl otz. Reverse engineering a cryptographic RFID
tag. In 17th USENIX Security Symposium(USENIX
Security 2008), pages 185193. USENIX Associ-
ation, 2008.
[36] Transponder IC, Hitag2. Product Data Sheet, Nov
2010. NXP Semiconductors.
[37] Hitag pro. Product Data Sheet, 2011. NXP Semi-
conductors.
[38] Philippe Oechslin. Making a faster cryptana-
lytic time-memory trade-off. In 23rd International
Cryptology Conference, Advances in Cryptology
(CRYPTO 2003), volume 2729 of Lecture Notes
in Computer Science, pages 617630. Springer-
Verlag, 2003.
[39] Security transponder plus remote keyless entry
Hitag2 plus, PCF7946AT. Product Prole, Jun
1999. Philips Semiconductors.
[40] Amir Rahmati, Mastooreh Salajegheh, Dan Hol-
comb, Jacob Sorber, Wayne P. Burleson, and Kevin
Fu. TARDIS: Time and remanence decay in
SRAM to implement secure protocols on embed-
ded devices without clocks. In 21st USENIX Secur-
ity Symposium (USENIX Security 2012). USENIX
Association, 2012.
[41] Andrew Rukhin, Juan Soto, James Nechvatal,
Miles Smid, Elaine Barker, Stefan Leigh, Mark
Levenson, Mark Vangel, David Banks, Alan Heck-
ert, James Dray, and San Vo. A statistical test
suite for the validation of random number generat-
ors and pseudo randomnumber generators for cryp-
tographic applications. NIST Special Publication,
pages 800822, 2001.
[42] Mate Soos, Karsten Nohl, and Claude Castelluc-
cia. Extending SAT solvers to cryptographic prob-
lems. In 12th International Conference on The-
ory and Applications of Satisability Testing (SAT
2009), volume 5584 of Lecture Notes in Computer
Science, pages 244257. Springer-Verlag, 2009.
[43] Frank Stajano and Ross J. Anderson. The resurrect-
ing duckling: Security issues for ad-hoc wireless
networks. In 7th International Workshop on Se-
curity Protocols (WSP 2000), volume 1796 of Lec-
ture Notes in Computer Science, pages 172182.
Springer-Verlag, 2000.
[44] Siwei Sun, Lei Hu, Yonghong Xie, and Xiangyong
Zeng. Cube cryptanalysis of Hitag2 stream cipher.
In 10th International Conference on Cryptology
and Network Security (CANS 2011), volume 7092
of Lecture Notes in Computer Science, pages 15
25. Springer-Verlag, 2011.
[45] Petr

Stembera and Martin Novotn y. Breaking
Hitag2 with recongurable hardware. In 14th Eur-
omicro Conference on Digital System Design (DSD
2011), pages 558563. IEEE Computer Society,
2011.
[46] Pang-Chieh Wang, Ting-Wei Hou, Jung-Hsuan Wu,
and Bo-Chiuan Chen. A security module for car ap-
pliances. International Journal of World Academy
Of Science, Engineering and Technology, 26:155
160, 2007.
[47] I.C. Wiener. Philips/NXP Hitag2
PCF7936/46/47/52 stream cipher reference
implementation. http://cryptolib.com/ciphers/hitag2/,
2007.
[48] Marko Wolf, Andre Weimerskirch, and Thomas
Wollinger. State of the art: Embedding security in
vehicles. EURASIP Journal on Embedded Systems,
2007:074706, 2007.
[49] Jung-Hsuan Wu, Chien-Chuan Kung, Jhan-Hao
Rao, Pang-Chieh Wang, Cheng-Liang Lin, and
Ting-Wei Hou. Design of an in-vehicle anti-theft
component. In 8th International Conference on In-
telligent Systems Design and Applications (ISDA
2008), volume 1, pages 566569. IEEE Computer
Society, 2008.
16