Gone in 360 Seconds Hijacking With Hitag2

Download as pdf or txt
Download as pdf or txt
You are on page 1of 17

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/235916472

Gone in 360 Seconds: Hijacking with Hitag2

Conference Paper · January 2012

CITATIONS READS
44 3,145

3 authors, including:

Flavio D. Garcia Josep Balasch


University of Birmingham KU Leuven
41 PUBLICATIONS   985 CITATIONS    23 PUBLICATIONS   435 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

OpenPCD View project

All content following this page was uploaded by Flavio D. Garcia on 18 March 2014.

The user has requested enhancement of the downloaded file.


Gone in 360 Seconds: Hijacking with Hitag2
Roel Verdult Flavio D. Garcia Josep Balasch
Institute for Computing and Information Sciences KU Leuven ESAT/COSIC and IBBT
Radboud University Nijmegen, The Netherlands. Kasteelpark Arenberg 10, 3001 Heverlee, Belgium
{rverdult,flaviog}@cs.ru.nl [email protected]

Abstract cording to European directive 95/56/EC. Similar regula-


tions apply to other countries like Australia, New Zeal-
An electronic vehicle immobilizer is an anti-theft device
and (AS/NZS 4601:1999) and Canada (CAN/ULC S338-
which prevents the engine of the vehicle from starting
98). An electronic car immobilizer consists of two main
unless the corresponding transponder is present. Such a
components: a small transponder chip which is embed-
transponder is a passive RFID tag which is embedded in
ded in (the plastic part of) the car key, see Figure 1; and
the car key and wirelessly authenticates to the vehicle.
a reader which is located somewhere in the dashboard of
It prevents a perpetrator from hot-wiring the vehicle or
the vehicle and has an antenna coil around the ignition,
starting the car by forcing the mechanical lock. Having
see Figure 2.
such an immobilizer is required by law in several coun-
tries. Hitag2, introduced in 1996, is currently the most
widely used transponder in the car immobilizer industry.
It is used by at least 34 car makes and fitted in more
than 200 different car models. Hitag2 uses a propriet-
ary stream cipher with 48-bit keys for authentication and
confidentiality. This article reveals several weaknesses
in the design of the cipher and presents three practical at-
tacks that recover the secret key using only wireless com-
munication. The most serious attack recovers the secret
key from a car in less than six minutes using ordinary Figure 1: Car keys with a Hitag2 transponder/chip
hardware. This attack allows an adversary to bypass the
cryptographic authentication, leaving only the mechan- The transponder is a passive RFID tag that operates at a
ical key as safeguard. This is even more sensitive on low frequency wave of 125 kHz. It is powered up when
vehicles where the physical key has been replaced by a it comes in proximity range of the electronic field of the
keyless entry system based on Hitag2. During our exper- reader. When the transponder is absent, the immobilizer
iments we managed to recover the secret key and start the unit prevents the vehicle from starting the engine.
engine of many vehicles from various makes using our
transponder emulating device. These experiments also
revealed several implementation weaknesses in the im-
mobilizer units.

1 Introduction
In the past, most cars relied only on mechanical keys to Figure 2: Immobilizer unit around the ignition barrel
prevent a hijacker from stealing the vehicle. Since the
’90s most car manufacturers incorporated an electronic A distinction needs to be made with remotely operated
car immobilizer as an extra security mechanism in their central locking system, which opens the doors, is bat-
vehicles. From 1995 it is mandatory that all cars sold in tery powered, operates at a ultra-high frequency (UHF)
the EU are fitted with such an immobilizer device, ac- of 433 MHz, and only activates when the user pushes a

1
button on the remote key. More recent car keys are of- Make Models
Acura CSX, MDX, RDX, TL, TSX
ten deployed with a hybrid chip that supports the battery
Alfa Romeo 156, 159, 166, Brera, Giulietta, Mito, Spider
powered ultra-high frequency as well as the passive low
Audi A8
frequency communication interface. Bentley Continental
With the Hitag2 family of transponders, its manu- BMW Serie 1, 5, 6, 7, all bikes
facturer NXP Semiconductors (formerly Philips Semi- Buick Enclave, Lucerne
conductors) leads the immobilizer market [34]. Fig- Cadillac BLS, DTS, Escalade, SRX, STS, XLR
ure 4 shows a list containing some of the vehicles that Avanlache, Caprice, Captiva, Cobalt, Equinox, Express, HHR
are deployed with a Hitag2 transponder. Even though Chevrolet Impala, Malibu, Montecarlo, Silverado, Suburban, Tahoe
NXP boosts “Unbreakable security levels using mutual Trailblazer, Uplander
300C, Aspen, Grand Voyager, Pacifica, Pt Cruiser, Sebring
authentication, challenge-response and encrypted data Chrysler
Town Country, Voyager
communication”1, it uses a shared key of only 48 bits. Berlingo, C-Crosser, C2, C3, C4, C4 Picasso, C5, C6, C8
Since 1988, the automotive industry has moved to- Citroen
Nemo, Saxo, Xsara, Xsara Picasso
wards the so-called keyless ignition or keyless entry in Dacia Duster, Logan, Sandero
their high-end vehicles [26]. In such a vehicle the mech- Daewoo Captiva, Windstorm
anical key is no longer present and it has been replaced Dodge
Avenger, Caliber, Caravan, Charger, Dakota, Durango
by a start button like the one shown in Figure 3. The only Grand Caravan, Journey, Magnum, Nitro, Ram

anti-theft mechanism left in these vehicles is the immob- 500, Bravo, Croma, Daily, Doblo, Fiorino, Grande Punto
Fiat
Panda, Phedra, Ulysse, Scudo
ilizer. Startlingly, many keyless ignition or entry vehicles
GMC Acadia, Denali, Envoy, Savana, Siera, Terrain, Volt, Yukon
sold nowadays are still based on the Hitag2 cipher. In Accord, Civic, CR-V, Element, Fit, Insight, Stream,
some keyless entry cars Hitag2 is also used as a backup Honda
Jazz, Odyssey, Pilot, Ridgeline, most bikes
mechanism for opening the doors, e.g., when the battery Hummer H2, H3
of the remote is depleted. 130, Accent, Atos Prime, Coupe, Elantra, Excel, Getz
Hyundai Grandeur, I30, Matrix, Santafe, Sonata, Terracan, Tiburon
Tucoson, Tuscanti
Isuzu D-Max
Iveco 35C11, Eurostar, New Daily, S-2000
Commander, Compass, Grand Cherokee, Liberty, Patriot
Jeep
Wrangler
Carens, Carnival, Ceed, Cerato, Magentis, Mentor, Optima
Kia
Picanto, Rio, Sephia, Sorento, Spectra, Sportage
Lancia Delta, Musa, Phedra
Mini Cooper
380, Colt, Eclipse, Endeavor, Galant, Grandis, L200
Mitsubishi
Lancer, Magna, Outlander, Outlander, Pajero, Raider
Almera, Juke, Micra, Pathfinder, Primera, Qashqai, Interstar
Nissan
Note, Xterra
Agila, Antara, Astra, Corsa, Movano, Signum, Vectra
Figure 3: Keyless hybrid transponder and engine Opel
Vivaro, Zafira
start/stop button 106, 206, 207, 307, 406, 407, 607, 807, 1007, 3008, 5008
Peugeot
Beeper, Partner, Boxer, RCZ
Pontiac G5, G6, Pursuit, Solstice, Torrent
Related work Porsche Cayenne
Clio, Duster, Kangoo, Laguna II, Logan, Master
A similar immobilizer transponder is produced by Texas Renault
Megane, Modus, Sandero, Trafic, Twingo
Instruments under the name Digital Signature Transpon- Saturn Aura, Outlook, Sky, Vue
der (DST). It is protected by a different proprietary cryp- Suzuki Alto, Grand Vitara, Splash, Swift, Vitara, XL-7
tographic algorithm that uses a secret key of only 40 bits. Volkswagen Touareg, Phaeton
The workings of these algorithms are reversed engin-
eered by Bono et al. in [10]. Francillon et al. demon- Figure 4: Vehicles using Hitag2 [29] – boldface indicates
strated in [18] that is possible to relay in real-time the vehicles we tested
(encrypted) communication of several keyless entry sys-
tems. The article shows that in some cases such a com- The history of the NXP Hitag2 family of transpon-
munication can be intercepted over a distance of at least ders overlaps with that of other security products de-
100 meters. signed and deployed in the late nineties, such as Kee-
1 http://www.nxp.com/products/automotive/ loq [8, 13, 27, 28], MIFARE Classic [12, 19, 22, 35],
car access immobilizers/immobilizer/ CryptoMemory [4, 5, 23] or iClass [20, 21]. Originally,

2
information on Hitag2 transponders was limited to data ure vulnerable to replay attacks. Moreover, the
sheets with high level descriptions of the chip’s function- transponder provides known data when a read com-
ality [36], while details on the proprietary cryptographic mand is issued on the block where the transponder’s
algorithms were kept secret by the manufacturer. This identity is stored, allowing to recover keystream.
phase, in which security was strongly based on obscur- Redundancy in the commands allow an adversary
ity, lasted until in 2007 when the Hitag2 inner workings to expand this keystream to arbitrary lengths. This
were reverse engineered [47]. Similarly to its prede- means that the transponder provides an arbitrary
cessor Crypto1 (used in MIFARE Classic), the Hitag2 length keystream oracle.
cipher consists of a 48 bit Linear Feedback Shift Register
(LFSR) and a non-linear filter function used to output • With probability 1/4 the output bit of the cipher is
keystream. The publication of the Hitag2 cipher attrac- determined by only 34 bits of the internal state. As
ted the interest of the scientific community. Courtois et a consequence, (on average) one out of four authen-
al. [14] were the first to study the strength of the Hitag2 tication attempts leaks one bit of information about
stream cipher to algebraic attacks by transforming the the secret key.
cipher state into a system of equations and using SAT • The 48 bit internal state of the cipher is only ran-
solvers to perform key recovery attacks. Their most prac- domized by a nonce of 32 bits. This means that 16
tical attack requires two days computation and a total of bits of information over the secret key are persistent
four eavesdropped authentication attempts to extract the throughout different sessions.
secret key. A more efficient attack, requiring 16 chosen
initialization vectors (IV) and six hours of computations, We exploit these vulnerabilities in the following three
was also proposed. However, and as noted by the au- practical attacks.
thors themselves, chosen-IV attacks are prevented by the
Hitag2 authentication protocol (see Sect. 3.5), thus mak- • The first attack exploits the malleability of the
ing this attack unfeasible in practice. cipher and the fact that the transponder does not
In [42], Soos et al. introduced a series of optimizations have a pseudo-random number generator. It uses a
on SAT solvers that made it possible to reduce the attack keystream shifting attack following the lines of [16].
time of Curtois et al. to less than 7 hours. More recently, This allows an adversary to first get an authentica-
Štembera and Novotný [45] implemented a brute-force tion attempt from the reader which can later be re-
attack that could be carried out in less than two hours by played to the transponder. Exploiting the malleab-
using the COPACOBANA2 high-performance cluster of ility of the cipher, this can be used to read known
FPGAs. Note however, that such attack would require plaintext (the identity of the transponder) and re-
about 4 years if carried out on a standard PC. Finally, cover keystream. In a new session the adversary can
Sun et. al [44] tested the security of the Hitag2 cipher use this keystream to read any other memory block
against cube attacks. Although according to their results (with exception of the secret key when configured
the key can be recovered in less than a minute, this attack correctly) within milliseconds. When the key is not
requires chosen initialization vectors and thus should be read protected, this attack can also be used to read
regarded as strictly theoretical. the secret key. This was in fact the case for most
vehicles we tested from a French car make.
Our contribution • The second attack is slower but more general in
In this paper, we show a number of vulnerabilities in the the sense that the same attack strategy can be ap-
Hitag2 transponders that enable an adversary to retrieve plied to other LFSR based ciphers. The attack uses
the secret key. We propose three attacks that extract the a time/memory tradeoff as proposed in [3, 6, 7,
secret key under different scenarios. We have implemen- 11, 25, 38]. Exploiting the linear properties of the
ted and successfully executed these attacks in practice on LFSR, we are able to efficiently generate the lookup
more than 20 vehicles of various make and model. On all table, reducing the complexity from 248 to 237 en-
these vehicles we were able to use an emulating device cryptions. This attack recovers the secret key re-
to bypass the immobilizer and start the vehicle. gardless of the read protection configuration of the
Concretely, we found the following vulnerabilities in transponder. It requires 30 seconds of communica-
Hitag2. tion with the transponder and another 30 seconds to
perform 2000 table lookups.
• The transponder lacks a pseudo-random number
• The third attack is also the most powerful, as it only
generator, which makes the authentication proced-
requires a few authentication attempts from the car
2 http://www.copacobana.org immobilizer to recover the secret key (assuming that

3
the adversary knows a valid transponder id). This
cryptanalytic attack exploits dependencies among
different sessions and a low degree determination
of the filter function used in the cipher. In order to
execute this attack, an adversary first gathers 136
partial authentication attempts from the car. This
can be done within one minute. Then, the adversary
needs to perform 235 operations to recover the secret
key. This takes less than five minutes on an ordinary
laptop.

Furthermore, besides looking into the security aspects of


Hitag2 we also study how it is deployed and integrated
in car immobilizer systems by different manufacturers.
Our study reveals that in many vehicles the transponder
is misconfigured by having readable or default keys, and
predictable passwords, whereas the immobilizer unit em-
ploys weak pseudo-random number generators. All cars
we tested use identifier white-listing as an additional se- Figure 5: Experimental setup for eavesdropping
curity mechanism. This means that in order to use our
third attack to hijack a car, an adversary first needs to transponders ranging from low frequency (125 kHz) to
eavesdrop, guess or wirelessly pickpocket a legitimate high frequency (13.56 MHz). The Proxmark III board
transponder id, see Section 7.5. cost around 200 USD and comes equipped with a FPGA
Following the principle of responsible disclosure, we and an ARM microcontroller. Low-level RF operations
have contacted the manufacturer NXP and informed such as modulation/demodulation are carried out by the
them of our findings six months ahead of publication. FPGA, whereas high-level operations such as encod-
We have also provided our assistance in compiling a doc- ing/decoding of frames are performed in the microcon-
ument to inform their customers about these vulnerabil- troller.
ities. The communication with NXP has been friendly Hitag2 tags are low frequency transponders used in
and constructive. NXP encourages the automotive in- proximity area RFID applications [36]. Communication
dustry for years to migrate to more secure products that from reader to transponder is encoded using Binary Pulse
incorporate strong and community-reviewed ciphers like Length Modulation (BPLM), whereas from transponder
AES [15]. It is surprising that the automotive industry to reader it can be encoded using either Manchester or
is reluctant to migrate to secure products given the cost Biphase coding. In order to eavesdrop, generate, and
difference of a better chip (≤ 1 USD) in relation to the read communications from reader to transponder, we ad-
prices of high-end car models (≥ 50, 000 USD). ded support for encoding/decoding BPLM signals, see
Figure 6.
2 Hardware setup
Before diving into details about Hitag2, this section in-
troduces the experimental platform we have developed
in order to carry out attacks in real-life deployments of
car immobilizer systems. In particular, we have built
a portable and highly flexible setup allowing us to i) Figure 6: Reader modulation of a read command
eavesdrop communications between Hitag2 readers and
transponders, ii) emulate a Hitag2 reader, and iii) emu- For the transponder side, we have also added the func-
late a Hitag2 transponder. Figure 5 depicts our setup in tionalities to support the Manchester coding scheme as
the setting of eavesdropping communications between a shown in Figure 7.
reader and a transponder.
The central element of our experimental platform
is the Proxmark III board3, originally developed by
Jonathan Westhues4 , and designed to work with RFID
3 http://www.proxmark.org
4 http://cq.cx/proxmark3.pl Figure 7: Communication from transponder to reader

4
3 Hitag2 Block Contents
0 transponder identifier id
This section describes Hitag2 in detail. Most of this in-
formation is in the public domain. We first describe the 1 secret key low k0 . . . k31
Hitag2 functionality, memory structure, and communic- 2 secret key high k32 . . . k47 — reserved
ation protocols, this comes mostly from the product data
3 configuration — password
sheet [36]. Then we describe the cipher and the authen-
tication protocol which was previously reverse engin- 4−7 user defined memory
eered in [47]. In Section 3.7 we show that it is possible
to run the cipher backwards which we use in our attacks. Figure 8: Hitag2 memory map in crypto mode [36]
We first need to introduce some notation. Let F2 =
{0, 1} the field of two elements (or the set of Booleans). 3.3 Communication
The symbol ⊕ denotes exclusive-or (XOR) and 0n de-
notes a bitstring of n zero-bits. Given two bitstrings x and The communication protocol between the reader and
y, xy denotes their concatenation. x denotes the bitwise transponder is based on the master-slave principle. The
complement of x. We write yi to denote the i-th bit of y. reader sends a command to the transponder, which then
For example, given the bitstring y = 0x03, y0 = y1 = 0 responds after a predefined period of time. There are five
and y6 = y7 = 1. We denote encryptions by {−}. different commands: authenticate, read, read, write and
halt. As shown in Figure 9, the authenticate command
has a fixed length of 5 bits, whereas the others have a
3.1 Functionality length of at least 10 bits. Optionally, these 10 bits can
be extended with a redundancy message of size multiple
Access to the Hitag2 memory contents is determined by
of 5 bits. A redundancy message is composed by the
pre-configured security policies. Hitag2 transponders of-
bit-complement of the last five bits of the command. Ac-
fer up to three different modes of operation:
cording to the datasheet [36] this feature is introduced to
“achieve a higher confidence level”.
1. In public mode the contents of the user data pages
In crypto mode the transponder starts in a halted state
are simply broadcast by the transponder once it is
and is activated by the authenticate command. After a
powered up.
successful authentication, the transponder enters the act-
2. In password mode reader and transponder authen- ive state in which it only accepts active commands which
ticate each other by interchanging their passwords. are encrypted. Every encrypted bit that is transferred
Communication is carried out in the clear, therefore consists of a plaintext bit XOR-ed with one bit of the
this authentication procedure is vulnerable to replay keystream. The active commands have a 3-bit argument
attacks. n which represents the offset (block number) in memory.
From this point we address Hitag2 active commands by
3. In crypto mode the reader and the transponder per- referring to commands and explicitly mention authentic-
form a mutual authentication by means of a 48-bit ation otherwise.
shared key. Communication between reader and
transponder is encrypted using a proprietary stream Command Bits State
cipher. This mode is used in car immobilizer sys- authenticate 11000 halted
tems and will be the focus of this paper. read 11n0 n1 n2 00n0 n1 n2 . . . active
read 01n0 n1 n2 10n0 n1 n2 . . . active
3.2 Memory write 10n0 n1 n2 01n0 n1 n2 . . . active
Hitag2 transponders have a total of 256 bits of non- halt 00n0 n1 n2 11n0 n1 n2 . . . active
volatile memory (EEPROM) organized in 8 blocks of
4 bytes each. Figure 8 illustrates the memory contents
Figure 9: Hitag2 commands using block number n
of a transponder configured in crypto mode. Block 0
stores the read-only transponder identifier; the secret key
Next we define the function cmd which constructs a
is stored in blocks 1 and 2; the password and configur-
bit string that represents a command c on block n with r
ation bits in block 3; blocks 4 till 7 store user defined
redundancy messages.
memory. Access to any of the memory blocks in crypto
mode is only granted to a reader after a successful mutual Definition 3.1. Let c be the first 2-bit command as
authentication. defined in Figure 9, n be a 3-bit memory block number

5
and r be the number of redundancy messages. Then, the where fa , fb : F42 → F2 and fc : F52 → F2 are
(10+5r) fa (i) = (0xA63C)i
function cmd : F22 × F32 × N → F2 is defined by
cmd(c, n, 0) = cncn fb (i) = (0xA770)i
(
cmd(c, n, r)cn, r is odd; fc (i) = (0xD949CBB0)i .
cmd(c, n, r + 1) =
cmd(c, n, r)cn, otherwise.
For example, the command to read block 0 with two re- For future reference, note that each of the building blocks
dundancy messages results in the following bit string. of f (and hence f itself) has the property that it outputs
cmd(11, 0, 2) = 11000 00111 11000 00111 zero for half of the possible inputs (respectively one).
The encrypted messages between reader and transponder Remark 3.4 (Cipher schematic). Figure 11 is different
are transmitted without any parity bits. The transponder from the schematic that was introduced by [47] and later
response always starts with a prefix of five ones, see Fig- used by [14, 19, 44, 45]. The input bits of the filter func-
ure 10. In the remainder of this paper we will omit this tion in Figure 11 are shifted by one with respect to those
prefix. A typical forward and backwards communication of [47]. The filter function in the old schematic repres-
takes about 12 ms. ents a keystream bit at the previous state f (xi−1 . . . xi+46 ),
while the one in Figure 11 represents a keystream bit of
the current state f (xi . . . xi+47 ). Furthermore, we have
{11000001111100000111}
−−−−−−−−−−−−−−−−−−−→ adapted the boolean tables to be consistent with our
11111{id0 . . . id31 } notation.
←−−−−−−−−−−−−−−−−−−−

3.5 Authentication protocol


Figure 10: Message flow for reading memory block 0
The authentication protocol used in Hitag2 in crypto
mode, reversed engineered and published online in
2007 [47], is depicted in Figure 12. The reader starts the
3.4 Cipher communication by sending an authenticate command,
In crypto mode, the communication between transponder to which the transponder answers by sending its identi-
and reader (after a sucessful authentication) is encrypted fier id. From this point on, communication is encryp-
with the Hitag2 stream cipher. This cipher has been re- ted, i.e., XOR-ed with the keystream. The reader re-
verse engineered in [47]. The cipher consists of a 48-bit sponds with its encrypted challenge nR and the answer
linear feedback shift register (LFSR) and a non-linear fil- aR = 0xFFFFFFFF also encrypted to prove knowledge
ter function f . Each clock tick, twenty bits of the LFSR of the key; the transponder finishes with its encrypted
are put through the filter function, generating one bit of answer aT (corresponding to block 3 in Fig. 8) to the
keystream. Then the LFSR shifts one bit to the left, us- challenge of the reader.
ing the generating polynomial to generate a new bit on
the right. See Figure 11 for a schematic representation. authenticate
−−−−−−−−−−−−−−−−−−−→
Definition 3.2. The feedback function L : F48 id
2 → F2 is ←−−−−−−−−−−−−−−−−−−−
defined by L(x0 . . . x47 ) := x0 ⊕ x2 ⊕ x3 ⊕ x6 ⊕ x7 ⊕ x8 ⊕ {nR}{aR }
x16 ⊕ x22 ⊕ x23 ⊕ x26 ⊕ x30 ⊕ x41 ⊕ x42 ⊕ x43 ⊕ x46 ⊕ x47 . −−−−−−−−−−−−−−−−−−−→
{aT }
The filter function f consists of three different circuits ←−−−−−−−−−−−−−−−−−−−
fa , fb and fc which output one bit each. The circuits fa
Figure 12: Hitag2 authentication protocol
and fb are employed more than once, using a total of
twenty input bits from the LFSR. Their resulting bits are During the authentication protocol, the internal state
used as input for fc . The circuits are represented by three of the stream cipher is initialized. The initial state con-
boolean tables that contain the resulting bit for each in- sists of the 32-bits identifier concatenated with the first
put. 16 bits of the key. Then reader nonce nR XORed with the
Definition 3.3 (Filter function). The filter function last 32 bits of the key is shifted in. During initialization,
f : F48 the LFSR feedback is disabled. Since communication is
2 → F2 is defined by
f (x0 . . . x47 ) = fc ( fa (x2 x3 x5 x6 ), fb (x8 x12 x14 x15 ), encrypted from nR onwards, the encryption of the later
bits of nR are influenced by its earlier bits. Authentica-
fb (x17 x21 x23 x26 ), fb (x28 x29 x31 x33 ),
tion is achieved by reaching the same internal state of the
fa (x34 x43 x44 x46 )), cipher after shifting in nR .

6
o
o 
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 ⊕
                   
f a = 0xA63C f b = 0xA770 f b = 0xA770 f b = 0xA770 f a = 0xA63C

    
f c = 0xD949CBB0


keystream

Figure 11: Structure of the Hitag2 stream cipher, based on [47]

3.6 Cipher Initialization Theorem 3.7. In the situation from Definition 3.5, we
have
The following precisely defines the initialization of the
a32+i = R(a33+i . . . a80+i ) ∀i ∈ N
cipher and the generation of the LFSR-stream a0 a1 . . .
and the keystream b0 b1 . . . . ai = idi ∀i ∈ [0, 31] .

Definition 3.5. Given a key k = k0 . . . k47 ∈ F48 2 , an


identifier id = id0 . . . id31 ∈ F322 , a reader nonce nR = Proof. Straightforward, using Definition 3.5 and Equa-
nR0 . . . nR31 ∈ F322 , a reader answer a R = a R0 . . . a R31 ∈ tion (1).
F32
2 , and a transponder answer a T = a T0 . . . a T31 ∈ F32
2 ,
the internal state of the cipher at time i is αi := If an attacker manages to recover the internal state of
ai . . . a47+i ∈ F48
2 . Here the ai ∈ F2 are given by the LFSR αi = ai ai+1 . . . ai+47 at some time i, then she
ai := idi ∀i ∈ [0, 31] can repeatedly apply Theorem 3.7 to recover a0 a1 . . . a79
a32+i := ki ∀i ∈ [0, 15] and, consequently, the keystream b0 b1 b2 . . .. By having
a48+i := k16+i ⊕ nRi ∀i ∈ [0, 31] eavesdropped {nR } from the authentication protocol, the
a80+i := L(a32+i . . . a79+i ) ∀i ∈ N . adversary can further calculate
nRi = {nR }i ⊕ bi ∀i ∈ [0, 31] .
Furthermore, we define the keystream bit bi ∈ F2 at time
i by Finally, the adversary can compute the secret key as fol-
lows
bi := f (ai . . . a47+i ) ∀i ∈ N .
ki = a32+i ∀i ∈ [0, 15]
Define {nR }, {aR }i , {aT }i ∈ F2 by
k16+i = a48+i ⊕ nRi ∀i ∈ [0, 31] .
{nR}i := nRi ⊕ bi ∀i ∈ [0, 31]
{aR}i := aRi ⊕ b32+i ∀i ∈ [0, 31]
{aT }i := aTi ⊕ b64+i ∀i ∈ [0, 31].
4 Hitag2 weaknesses
Note that the ai , αi , bi , {nR }i , {aR}i , and {aT }i are form-
This section describes three weaknesses in the design of
ally functions of k, id, and nR . Instead of making this ex-
Hitag2. The first one is a protocol flaw while the last two
plicit by writing, e.g., ai (k, id, nR ), we just write ai where
concern the cipher’s design. These weaknesses will later
k, id, and nR are clear from the context.
be exploited in Section 5.

3.7 Rollback
4.1 Arbitrary length keystream oracle
To recover the key it is sufficient to learn the internal state
of the cipher αi at any point i in time. Since an attacker This weakness describes that without knowledge of the
knows id and {nR }, the LFSR can then be rolled back to secret key, but by having only one authentication at-
time zero. tempt, it is possible to gather an arbitrary length of key-
stream bits from the transponder. Section 3.3 describes
Definition 3.6. The rollback function R : F48 2 → F2 is the reader commands that can modify or halt a Hitag2
defined by R(x1 . . . x48 ) := x2 ⊕ x3 ⊕ x6 ⊕ x7 ⊕ x8 ⊕ x16 ⊕
transponder. As mentioned in Definition 3.1 it is pos-
x22 ⊕ x23 ⊕ x26 ⊕ x30 ⊕ x41 ⊕ x42 ⊕ x43 ⊕ x46 ⊕ x47 ⊕ x48 .
sible to extend the length of such a command with a
If one first shifts the LFSR left using L to generate a multiple of five bits. A 10-bit command can have an op-
new bit on the right, then R recovers the bit that dropped tional number of redundancy messages r so that the total
out on the left, i.e., bit count of the message is 10 + 5r bits. Due to power
R(x1 . . . x47 L(x0 . . . x47 )) = x0 . (1) and memory constraints, Hitag2 seems to be designed

7
to communicate without a send/receive buffer. There-
fore, all cipher operations are performed directly at ar- cmd(11, 6, 0) ⊕ b96 . . . b135
rival or transmission of bits. Experiments show that a −−−−−−−−−−−−−−−−−−−→
id ⊕ b136 . . . b167
Hitag2 transponder successfully accepts encrypted com- ←−−−−−−−−−−−−−−−−−−−
mands from the reader which are sent with 1000 redund-
ancy messages. The size of such a command consists of
Figure 14: Read id using 6 redundancy messages
10 + 5 × 1000 = 5010 bits.
Since there is no challenge from the transponder it
is possible to replay any valid {nR}{aR } pair to the 4.2 Dependencies between sessions
transponder to achieve a successful authentication. After Section 3.6 shows that at cipher state α79 the cipher is
receiving aT , the internal state of the transponder is ini- fully initialized and from there on the cipher only pro-
tialized and waits for an encrypted command from the duces keystream. This shows that the 48-bit internal state
reader as defined in Figure 9. Without knowledge of the of the cipher is randomized by a reader nonce nR of only
keystream bits b96 b97 . . . and onwards, all possible com- 32 bits. Consequently, at state α79 , only LFSR bits 16
binations need to be evaluated. A command consist of to 47 are affected by the reader nonce. Therefore LFSR
at least 10 bits, therefore there are 210 possibilities. Each bits 0 to 15 remain constant throughout different session
command requires a 3-bit parameter containing the block which gives a strong dependency between them. These
number. Both read and read receive a 32-bit response, 16 session persistent bits correspond to bits k0 . . . k15 of
while the write and halt have a different response length. the secret key.
Hence, when searching for 10-bit encrypted commands
that get a 32-bit response there are exactly 16 out of the
210 values that match. On average the first read com- 4.3 Low degree determination of the filter
mand is found after 32 attempts, the complement of this function
read and its parameters are a linear difference and there-
fore take only 15 attempts more. The filter function f : F48 2 → F2 consists of three build-
ing blocks fa , fb and fc arranged in a two layer structure,
see Figure 11. Due to this particular structure, input bits
cmd(11, 0, 0) ⊕ b96 . . . b105 a34 . . . a47 only affect the rightmost input bit of fc . Fur-
−−−−−−−−−−−−−−−−−−−→ thermore, simple inspection of fc shows that in 8 out of
id ⊕ b106 . . . b137 32 configurations of the input bits, the rightmost input
←−−−−−−−−−−−−−−−−−−−
bit has no influence on the output of fc . In those cases
the output of fc is determined by its 4-leftmost input bits.
Figure 13: Read id without redundancy messages Furthermore, this means that with probability 1/4 the fil-
ter function f is determined by the 34-leftmost bits of
One of the 16 guesses represents the encrypted bits of the internal state. The following theorem states this pre-
the read command on the first memory block. This block cisely.
contains the id which is known plaintext since it is trans-
mitted in the clear during the authentication. Therefore, Theorem 4.1. Let X be a uniformly distributed variable
there is a guess such that the communicated bits are equal over F34
2 . Then
to the messages in Figure 13. P[∀Y,Y ′ ∈ F14 ′
2 : f (XY ) = f (XY )] = 1/4.
With the correct guess, 40 keystream bits can be re-
covered. This keystream is then used to encrypt a slightly Proof. By inspection.
modified read command on block 0 with six redundancy
messages, as explained in Section 3.3. The transpon- Definition 4.2. The function that checks for this property
der responds with the next 32-bit of keystream which P : F48
2 → F2 is defined by
are used to encrypt the identifier as shown in Figure P(x0 . . . x47 ) = (0x84D7)i
14. Hence the next 30 keystream bits were retrieved us- where
ing previously recovered keystream and by extending the
read command. i = fa (x2 x3 x5 x6 ) fb (x8 x12 x14 x15 )
This operation can be repeated many times. For ex- fb (x17 x21 x23 x26 ) fb (x28 x29 x31 x33 ).
ample, using the recovered keystream bits b96 . . . b167 it
is possible to construct a 70-bit read command with 12 Because P(x0 . . . x47 ) only depends on x0 . . . x33 we shall
redundancy messages etc. In practice it takes less than 30 overload notation and see P(·) as a function F34 2 → F2 ,
seconds to recover 2048 bits of contiguous keystream. writing P(x0 . . . x47 ) as P(x0 . . . x33 014 ).

8
5 Attacks extends the methods of similar time/memory tradeoffs
articles published over the last decades [3, 6, 7, 11, 25,
This section describes three attacks against Hitag2. The 38]. This attack requires communication with the reader
first attack is straightforward and grants an adversary and the transponder. The next proposition introduces a
read and write access to the memory of the transponder. small trick that makes it possible to quickly perform n
The cryptanalysis described in the second attack recovers cipher steps at once. Intuitively, this proposition states
the secret key after briefly communicating with the car that the linear difference between a state s and its n-th
and the transponder. This attack uses a general technique successor is a combination of the linear differences gen-
that can be applied to other LFSR-like stream ciphers. erated by each bit. This will be later used in the attack.
The third attack describes a custom cryptanalysis of the
Proposition 5.1. Let s be an LFSR state and n ∈ N. Fur-
Hitag2 cipher. It only requires a few authentication at-
thermore, let di = sucn (2i ) i.e., the LFSR state that res-
tempts from the car and allows an adversary to recover
ults from running the cipher n steps from the state 2i .
the secret key with a computational complexity of 235 op-
Then
erations. The last two attacks allow a trade-off between 47
sucn (s) =
M
time/memory/data and time/traces respectively. For the (di · si ) .
sake of simplicity we describe these attacks with con- i=0
crete values that are either optimal or what we consider To perform the attack the adversary A proceeds as fol-
‘sensible’ in view of currently available hardware. lows:
1. Only once, A builds a table containing 237 entries.
5.1 Malleability attack Each entry in the table is of the form hks, si where
s ∈ F48 48
2 is an LFSR state and ks ∈ F2 are 48 bits
This attack exploits the arbitrary length keystream or-
of keystream produced by the cipher when running
acle weakness described in Section 4.1, and the fact that
from s. Starting from some state where s 6= 0,
during the authentication algorithm the transponder does
the adversary generates 48 bits of keystream and
not provide any challenge to the reader. This notorious
stores it. Then it uses Theorem 5.1 to quickly
weaknesses allow an adversary to first acquire keystream
jump n = 211 cipher states to the next entry in the
and then use it to read or write any block on the card with
table. This reduces the computational complexity
constant communication and computational complexity.
of building the table from 248 to 48 × 237 = 242.5
After the recovery of the keystream bits b96 . . . b137 as
cipher ticks. Moreover, in order to improve lookup
shown in Figure 13 an adversary can dump the complete
time the table is sorted on ks and divided into
memory of the transponder which includes its password.
224 sub-tables encoded in the directory structure
Recovery of the keystream and creating a memory dump
like /ks_byte1/ks_byte2/ks_byte3.bin
from the transponder takes in total less than one second
where each ks_byte3.bin file has only 8 KB.
and requires only to be in proximity distance of the vic-
The total size of this table amounts 1.2 TB.
tim. This shows a similar scenario to [22] where Garcia
et al. show how to wirelessly pickpocket a MIFARE 2. A emulates a transponder and runs an authentication
Classic card from the victim. attempt with the target car. Following the authen-
The memory blocks where the cryptographic key is tication protocol, the car answers with a message
stored have an extra optional protection mechanism. {nR }{aR}.
There is a one time programable configuration bit which
3. Next, the attacker wirelessly replays this message
determines whether these blocks are readable or not.
to the legitimate transponder and uses the weakness
If the reader tries to read a protected block, then the
described in Section 4.1 to obtain 256 bytes of key-
transponder does not respond. In that case the adversary
stream ks0 . . . ks2048 . Note that this might be done
can still use the attacks presented in Section 5.2 and Sec-
while the key is in the victim’s bag or pocket.
tion 5.3. If the transponder is not correctly configured,
it enables an adversary to read all necessary data to start 4. The adversary sets i = 0.
the car.
5. Then it looks up (in logarithmic time) the keystream
ksi . . . ksi+47 in the table from step 1.
5.2 Time/memory tradeoff attack
6. If the keystream is not in the table then it increments
This attack is very general and it can be applied to any i and goes back to step 5. If there is a match, then
LFSR-based stream cipher as long as enough contigu- the corresponding state is a candidate internal state.
ous keystream is available. This is in fact the case with A uses the rest of the keystream to confirm is this is
Hitag2 due to the weakness described in Section 4.1. It the internal state of the cipher.

9
for all y ∈ F18 ~ 14
7. Finally, the adversary uses Theorem 3.7 to rollback 2 such that P(ky 0 ) = 1. Note that the
the cipher state and recover the secret key. expected size of this table is 218 × 1/4 = 216 which
easily fits in memory.
Complexity and time. In step 1 the adversary needs to 3. For each k̂ = k16 . . . k33 ∈ F18 and for each
2
pre-compute a 1.2 TB table which requires 242.5 cipher
trace {nR }{aR}, the attacker sets z := k̂ ⊕
ticks, which is equal to 237 encryptions. During gener-
{nR }0 . . . {nR }17 . If there is an entry in Tk~ for which
ation, each entry is stored directly in the corresponding
.bin file as mentioned before. Each of these 8 KB files y ⊕ b0 . . . b17 equals z but b32 6= {aR}0 then the at-
also needs to be sorted but it only takes a few minutes tacker learns that k̂ is a bad guess, so he tries the
to sort them all. Computing and sorting the whole table next one. Otherwise, if b32 = {aR }0 then k̂ is still
takes less than one day on a standard laptop. Steps 2-3 a viable guess and therefore the adversary tries the
take about 30 seconds to gather the 256 bytes of key- next trace.
stream from the transponder. Steps 4-6 require (in worst
case) 2000 table lookups which take less than 30 seconds 4. Each k~k̂ that passed the test for all traces is a partial
on a standard laptop. This adds to a total of one minute candidate key. For each such candidate (typically 2
to execute the attack from begin to end. or 3), the adversary performs an exhaustive search
for the remaining key bits ~k = k34 . . . k47 . For each
full candidate key, the adversary decrypts two traces
5.3 Cryptanalytic attack and checks whether both {aR} decrypt to all ones as
specified in the authentication protocol. If a candid-
A combination of the weaknesses described in Section ate passes this test then it is the secret key. If none
4.2 and 4.3 enable an attacker to recover the secret key of them passes then the adversary goes back to Step
after gathering a few authentication attempts from a car. ~
2 and tries the next k.
In case that identifier white-listing is used as a second-
ary security measure, which is in fact the case for all the
cars we tested, the adversary first needs to obtain a valid Complexity and time. In step 1, the adversary needs to
transponder id, see Section 7.5. gather 136 partial authentication traces. This can be done
The intuition behind the attack is simple. Suppose that within 1 minute using the Proxmark III. In steps 2 and 3,
an adversary has a guess for the first 34 bits of the key. the adversary needs to build 216 tables. For each of these
One out of four traces is expected to have the property tables the adversary needs to compute 218 encryptions
from Theorem 4.1 which enables the adversary to per- plus 218 table lookups. Step 4 has negligible complex-
form a test on the first bit of {aR }. The dependencies ity thus we ignore it. This adds to a total complexity of
between sessions described in Section 4.2 allow the at- 216 × (218 + 218 ) = 235 encryptions/lookups. Note that
tacker to perform this test many times decreasing drastic- it is straightforward to split up the search space of k~ in
ally the amount of candidate (partial) keys. If an attacker as many processes as you wish. On an standard quad-
gathers 136 traces this allows her (on average) to perform core laptop this computation takes less than five minutes.
136/4 = 34 bit tests, i.e. just as much as key bits were Therefore, the whole attack can be performed in less than
guessed. For the small amount of candidate keys that 360 seconds which explains the title of the paper.
pass these tests (typically 2 or 3), the adversary performs This attack is faster than other practical attacks pro-
an exhaustive search for the remaining 14 bits of the key. posed in [14, 45]. The following table shows a com-
A precise description of this attack follows. parison between this attack and other attacks from the
literature.
1. The attacker uses a transponder emulator (like the
Proxmark III) to initiate 136 authentication attempts
with the car using a fixed transponder id. In this Attack Description Practical Computation Traces Time
way the attacker gathers 136 traces of the form [45] brute-force yes 2 102 400 min 2 4 years
[14] sat-solver yes 2 880 min 4 2 days
{nR }{aR}. Next the attacker starts searching for
[42] sat-solver no1 386 min N/A N/A
the secret key. For this we split the key k in three [44] cube no2 1 min 500 N/A
parts k = k~k̂~k where k~= k0 . . . k15 , k̂ = k16 . . . k33 , and Our cryptanalytic yes 5 min 136 6 min
~k = k34 . . . k47 .
1 Soos et al. require 50 bits of contiguous keystream.
2 Sun et al. require control over the encrypted reader nonce {nR }
2. for each k~ = k0 . . . k15 ∈ F162 the attacker builds a
table Tk~ containing entries Figure 15: Comparison of attack times and requirements
~
hy ⊕ b0 . . . b17 , b32 , kyi

10
Figure 16: Left: Authentication failure message
Right: Successful authentication using a Proxmark III

6 Starting a car or predictable transponder password. Some generate


nonces with a very low entropy. Most car keys have
In order to elaborate on the practicality of our attacks, vehicle-dependant information stored in the user defined
this section describes our experience with one concrete memory of the transponder, but none of the tested cars
vehicle. For this we have chosen a German car, mainly actually check this data. Some cars use Hitag2 for key-
due to the fact that it has keyless ignition. Instead of less ignition systems, which are more vulnerable because
the typical mechanical key, this car has a hybrid re- they lack a physical key. This section summarizes some
mote control which contains a Hitag2 transponder. In of the weaknesses we found during our practical experi-
the dashboard of the car there is a slot to insert the re- ments. Especially, Section 7.4 shows the implications of
mote and a button to start the engine. When a piece the attack described in Section 5.3 when the transponder
of plastic of suitable size is inserted in this slot the car uses a predictable password. Section 7.5 describes how
repeatedly attempts to authenticate the transponder (and to circumvent identifier white-listing. This is an addi-
fails). This car uses an identifier white-list as described tional security mechanism which is often used in vehicle
in Section 7.5. The same section explains how to wire- immobilizers.
lessly pickpocket a valid identifier from the victim’s re-
mote. As soon as the car receives a valid identifier, the
dashboard lights up and the LCD screen pops-up display- 7.1 Weak random number generators
ing the message shown in Figure 16-Left. Note also the From the cars we tested, most pseudo-random number
sign on the dashboard. At this point we used the Prox- generators (PRNG) use the time as a seed. The time in-
mark to quickly gather enough traces and execute the at- tervals do not have enough precision. Multiple authen-
tack from Section 5.3 to recover the secret key. This car tication attempts within a time frame of one second get
is one of the few that we tested that does not have a pre- the same random number. Even worse, we came across
dictable password so we wirelessly read it from the vic- two cars which have a PRNG with dangerously low en-
tim’s remote. Then we use the Proxmark to emulate the tropy. The first one, a French car (A), produces nonces
transponder. Figure 16-Right shows that the car accepts with only 8 bits of entropy, by setting 24 of the 32 bits
the Proxmark as if it was the legitimate transponder. The always to zero as shown in Figure 17.
same picture shows (by looking at the tachometer) that at
this stage it is possible to start the engine. Origin Message Description
CAR 18 authenticate
TAG 39 0F 20 10 id
7 Implementation weaknesses CAR 0A 00 00 00 23 71 90 14 {nR }{aR }
TAG 27 23 F8 AF {aT }
To verify the practicality of our attacks, we have tested CAR 18 authenticate
all three of them on at least 20 different car models TAG 39 0F 20 10 id
CAR 56 00 00 00 85 CA 95 BA {nR }{aR }
from various makes. During our experiments we found
TAG 38 07 50 C5 {aT }
that, besides the weaknesses in cipher and protocol, the
transponder is often misconfigured and poorly integrated
in the cars. Most of the cars we tested use a default Figure 17: Random numbers generated by car A

11
Another French car (B), produced random looking of a transponder that is wirelessly accessible over a dis-
nonces, but in fact, the last nibble of each byte was de- tance of several meters and a non protected readable key
termined by the last nibble of the first byte. A subset of is most worrying.
these nonces are shown shown in Figure 18.
7.4 Predictable transponder passwords
{nR } {aR }
20 D1 0B 08 56 36 F3 66 The transponder password is encrypted and sent in the
70 61 1B 58 1B 18 F3 38
transponder answer aT of the authentication protocol.
B0 A1 5B 98 1E 94 62 3A
This is an additional security mechanism of the Hitag2
D0 41 FB B8 01 3B 54 10
25 1A 3C AD 15 88 5E 19
protocol apart from the cryptographic algorithm. Be-
05 7A 9C 8D F7 4D F7 70 sides the fact that the transponder proves knowledge of
C5 3A 5C 4D 30 B1 4A D4 the secret key, it sends its password encrypted. In general
E5 DA FC 6D D8 BD 79 C3 it is good to have some fall back scenario and counter-
measure if the used cryptosystem gets broken. Section
Figure 18: Random numbers generated by car B 5.3 demonstrates how to recover the secret key from a
vehicle. But to start the engine, it is necessary to know
the transponder password as well. Experiments show
that at least half of the cars we tested on use default or
7.2 Low entropy keys predictable passwords.
Some cars have repetitive patterns in their keys which
makes them vulnerable to dictionary attacks. Recent 7.5 Identifier pickpocketing
models of a Korean car (C) use the key with the lowest The first generation of vehicle immobilizers were
entropy we came across. It tries to access the transpon- not able to compute any cryptographic operations.
der in password mode as well as in crypto mode. For this These transponders were simply transmitting a constant
it uses the default password MIKR and a key of the form (unique) identifier over the RF channel. Legitimate
0xFFFF∗ ∗ ∗ ∗ ∗∗FF as shown in Figure 19. transponder identifiers were white-listed by the vehicle
and only those transponders in the white-list would en-
Origin Message Description
able the engine to start. Most immobilizer units in cars
CAR 18 authenticate
TAG E4 13 05 1A id
still use such white-listing mechanism, which is actually
CAR 4D 49 4B 52 password = MIKR encouraged by NXP. These cars would only attempt to
CAR 18 authenticate authenticate transponders in their white-list. This is an
TAG E4 13 05 1A id extra obstacle for an attacker, namely recovering a genu-
CAR DA 63 3D 24 A7 19 07 12 {nR }{aR } ine identifier from the victim before being able to execute
TAG EC 2A 4B 58 {aT }
any attack. There are (at least) two ways for an adversary
to wirelessly pickpocket a Hitag2 identifier:
Figure 19: Car C authenticates using the default pass-
word and secret key 0xFFFF814632FF • One option is to use the low-frequency (LF) inter-
face to wirelessly pickpocket the identifier from the
victim’s key. This can be done within proximity
distance and takes only a few milliseconds. Accord-
7.3 Readable keys ing to the Hitag2 datasheet [36], the communication
range of a transponder is up to one meter. Although,
Section 5.1 shows how to recover the memory dump Hitag2 transponders embedded into car keys are op-
of a Hitag2 transponder. Almost all makes protect the timized for size and do not achieve such a commu-
secret key against read operations by setting the bits of nication distance. However, an adversary can use
the configuration in such a way that block one and two tuned equipment with big antennas that ignore ra-
are not readable. Although there are some exceptions. diation regulations (e.g., [17]) in order to reach a
For example, experiments show that most cars from a larger reading distance. Many examples in the lit-
French manufacturer have not set this protection bit. This erature show the simplicity and low-cost of such a
enables an attacker to recover the secret key in an in- setup [24, 30, 31, 43].
stant. Even more worrying, many of these cars have
the optional feature to use a remote key-less entry sys- • Another option is to use the wide range ultra-high
tem which have a much wider range and are therefore frequency (UHF) interface. For this an adversary
more vulnerable to wireless attacks. The combination needs to eavesdrop the transmission of a hybrid

12
Hitag2 transponder [39] when the victim presses a • Extend the transponder password
button on the remote (e.g. to close the doors). Most The transponder password is an important part of
keyless entry transponders broadcast their identifier the authentication protocol but grievously it has
in the clear on request (see for example [39]). only an entropy of 24 bits. Such a password is
easy to find via exhaustive search. Furthermore,
With respect to the LF interface, the UHF interface has as we mentioned in Section 7.4, manufacturers of-
a much wider transmission range. As shown in [18] it ten deployed their cars with predictable transpon-
is not hard to eavesdrop such a transmission from a dis- der passwords. As shown in Figure 8, there are
tance of 100 meters. From a security perspective, the first four pages available of user defined memory in a
generation Hitag2 transponders have a physical advant- Hitag2 transponder. These could be used to extend
age over the hybrid transponders since they only support the transponder password with 128 bits of random
the LF interface. data to increase its entropy. This implies that an
adversary needs to get access to the transponder’s
8 Mitigation memory before being able to steal a car.

• Delay authentication after failure


This section briefly discusses a simple but effective au-
The cryptographic car-only attack explained in Sec-
thentication protocol for car immobilizers and it also de-
tion 5.3 requires several authentication attempts to
scribes a number of mitigating measures for the attacks
reduce the computational complexity. Extending
proposed in Section 5. For more details we refer the
the time an adversary needs to gather these traces
reader to [1, 9].
increases the risk of being caught. To achieve
First of all we emphasize that it is important for the
this, the immobilizer introduces a pause before re-
automotive industry to migrate from weak proprietary
authenticating that grows incrementally or exponen-
ciphers to a peer-reviewed one such as AES [15], used
tially with the number of sequential incorrect au-
in cipher block chaining mode (CBC). A straightfor-
thentications. An interesting technique to imple-
ward mutual authentication protocol is sketched in Fig-
ment such a countermeasure is proposed in [40].
ure 20. The random nonces nR , nT , secret key k and
The robustness, availability and usability of the
transponder password PWDT should be at least 128 bits
product is affected by this delay, but it increases the
long. Comparable schemes are proposed in the literat-
attack time considerably and therefore reduces the
ure [32, 33, 46, 48, 49].
risk of car theft.
authenticate
−−−−−−−−−−−−−−−−−−−→ Besides these measures, it is important to improve the
id, nT pseudo-random number generator in the vehicles which
←−−−−−−−−−−−−−−−−−−−
{nR , nT }k is used to generate reader nonces. Needless to say, the
−−−−−−−−−−−−−−−−−−−→ same applies to cryptographic keys and transponder pass-
{nR, PWDT }k words. NIST has proposed a statistical test suite which
←−−−−−−−−−−−−−−−−−−− can be used to verify the quality of a pseudo-random
number generator [41].
Figure 20: Immobilizer authentication protocol using
AES
9 Conclusions
There are already in the market immobilizer transpon-
ders which implement AES like the ATA5795[2] from We have found many serious vulnerabilities in the Hitag2
Atmel and the Hitag AES / Pro[37] from NXP. It should and its usage in the automotive industry. In particular,
be noted that, although they use a peer-reviewed encryp- Hitag2 allows replaying reader data to the transponder;
tion algorithm, their authentication protocol is still pro- provides an unlimited keystream oracle and uses only
prietary and therefore lacks public and academic scru- one low-entropy nonce to randomize a session. These
tiny. weaknesses allow an adversary to recover the secret key
In order to reduce the applicability of our crypto- within seconds when wireless access to the car and key
graphic attack, the automotive industry could consider is available. When only communication with the car is
the following measures. This attack is the most sensitive possible, the adversary needs less than six minutes to
as it does not require access to the car key. These coun- recover the secret key. The cars we tested use identi-
termeasures should be interpreted as palliating (but not a fier white-listing. To circumvent this, the adversary first
solution) before migrating to a more secure and openly needs to obtain a valid transponder id by other means
designed product. e.g., eavesdrop it when the victim locks the doors. This

13
UHF transmission can be intercepted from a distance of [6] Alex Biryukov, Sourav Mukhopadhyay, and Palash
100 meters [18]. We have executed all our attacks (from Sarkar. Improved time-memory trade-offs with
Section 5) in practice within the claimed attack times. multiple data. In 13th International Workshop
We have experimented with more than 20 vehicles of on Selected Areas in Cryptography (SAC 2006),
various makes and models and found also several imple- volume 3897 of Lecture Notes in Computer Sci-
mentation weaknesses. ence, pages 110–127. Springer-Verlag, 2006.
In line with the principle of responsible disclosure, we
have notified the manufacturer NXP six months before [7] Alex Biryukov and Adi Shamir. Cryptanalytic
disclosure. We have constructively collaborated with time/memory/data tradeoffs for stream ciphers. In
NXP, discussing mitigating measures and giving them 6th International Conference on the Theory and
feedback to help improve the security of their products. Application of Cryptology and Information Secur-
ity, Advances in Cryptology (ASIACRYPT 2000),
volume 1976 of Lecture Notes in Computer Sci-
10 Acknowledgments ence, pages 1–13. Springer-Verlag, 2000.

The authors would like to thank Bart Jacobs for his


[8] Andrey Bogdanov. Linear slide attacks on the Kee-
firm support in the background. We are also thankful
Loq block cipher. In Information Security and
to E. Barendsen, L. van den Broek, J. de Bue, Y. van
Cryptology (INSCRYPT 2007), volume 4990 of
Dalen, E. Gouwens, R. Habraken, I. Haerkens, S. Hop-
Lecture Notes in Computer Science, pages 66–80.
penbrouwers, K. Koster, S. Meeuwsen, J. Reule, J. Re-
Springer, 2007.
ule, I. Roggema, L. Spix, C. Terheggen, M. Vaal, S. Ver-
nooij, U. Zeitler, B. Zwanenburg, and those who prefer to
remain anonymous for (bravely) volunteering their cars [9] Andrey Bogdanov and Christof Paar. On the se-
for our experiments. curity and efficiency of real-world lightweight au-
thentication protocols. In 1st Workshop on Se-
cure Component and System Identification (SECSI
References 2008). ECRYPT, 2008.

[1] Ross J. Anderson. Security Engineering: A guide [10] Stephen C. Bono, Matthew Green, Adam Stubble-
to building dependable distributed systems. Wiley, field, Ari Juels, Aviel D. Rubin, and Michael
2010. Szydlo. Security analysis of a cryptographically-
enabled RFID device. In 14th USENIX Security
[2] Atmel. Embedded avr microcontroller including rf Symposium (USENIX Security 2005), pages 1–16.
transmitter and immobilizer lf functionality for re- USENIX Association, 2005.
mote keyless entry - ATA5795, 2010.
[11] Johan Borst, Bart Preneel, Joos Vandewalle, and
[3] Steve Babbage. A space/time tradeoff in exhaust-
Joos V. On the time-memory tradeoff between ex-
ive search attacks on stream ciphers. In European
haustive key search and table precomputation. In
Convention on Security and Detection, volume 408
19th Symposium in Information Theory in the Be-
of Conference Publications, pages 161–166. IEEE
nelux, pages 111–118, 1998.
Computer Society, 1995.

[4] Josep Balasch, Benedikt Gierlichs, Roel Verdult, [12] Nicolas T. Courtois. The dark side of security by
Lejla Batina, and Ingrid Verbauwhede. Power ana- obscurity - and cloning MIFARE Classic rail and
lysis of Atmel CryptoMemory - recovering keys building passes, anywhere, anytime. In 4th Inter-
from secure EEPROMs. In 12th Cryptograph- national Conference on Security and Cryptography
ers’ Track at the RSA Conference (CT-RSA 2012), (SECRYPT 2009), pages 331–338. INSTICC Press,
volume 7178 of Lecture Notes in Computer Sci- 2009.
ence, pages 19–34. Springer-Verlag, 2012.
[13] Nicolas T. Courtois, Gregory V. Bard, and David
[5] Alex Biryukov, Ilya Kizhvatov, and Bin Zhang. Wagner. Algebraic and slide attacks on Kee-
Cryptanalysis of the Atmel cipher in Secure- Loq. In 15th International Workshop on Fast Soft-
Memory, CryptoMemory and CryptoRF. In 9th Ap- ware Encryption (FSE 2000), volume 5086 of Lec-
plied Cryptography and Network Security (ACNS ture Notes in Computer Science, pages 97–115.
2011), pages 91–109. Springer-Verlag, 2011. Springer-Verlag, 2008.

14
[14] Nicolas T. Courtois, Sean O’Neil, and Jean-Jacques [23] Flavio D. Garcia, Peter van Rossum, Roel Ver-
Quisquater. Practical algebraic attacks on the dult, and Ronny Wichers Schreur. Dismantling Se-
Hitag2 stream cipher. In 12th Information Secur- cureMemory, CryptoMemory and CryptoRF. In
ity Conference (ISC 2009), volume 5735 of Lec- 17th ACM Conference on Computer and Commu-
ture Notes in Computer Science, pages 167–176. nications Security (CCS 2010), pages 250–259.
Springer-Verlag, 2009. ACM/SIGSAC, 2010.

[15] Joan Daemen and Vincent Rijmen. The Design of [24] Gerhard P. Hancke. Practical attacks on proximity
Rijndael: AES - The Advanced Encryption Stand- identification systems (short paper). In 27th IEEE
ard. Springer-Verlag, 2002. Symposium on Security and Privacy (S&P 2006),
pages 328–333. IEEE Computer Society, 2006.
[16] Gerhard de Koning Gans, Jaap-Henk Hoepman,
and Flavio D. Garcia. A practical attack on the MI-
FARE Classic. In 8th Smart Card Research and Ad- [25] Martin E. Hellman. A cryptanalytic time-memory
vanced Applications Conference (CARDIS 2008), trade-off. IEEE Transactions on Information The-
volume 5189 of Lecture Notes in Computer Sci- ory, 26(4):401–406, 1980.
ence, pages 267–282. Springer-Verlag, 2008.
[26] Motoki Hirano, Mikio Takeuchi, Takahisa Tomoda,
[17] Federal Communications Commission FCC. and Kin-Ichiro Nakano. Keyless entry system with
Guidelines for evaluating the environmental effects radio card transponder. IEEE Transactions on In-
of radio frequency radiation. Technical report, dustrial Electronics, 35:208–216, 1988.
Federal Communications Commission FCC, April
2009. [27] Sebastiaan Indesteege, Nathan Keller, Orr Dunkel-
mann, Eli Biham, and Bart Preneel. A prac-
[18] Aurélien Francillon, Boris Danev, and Srdjan
tical attack on KeeLoq. In 27th International
Čapkun. Relay attacks on passive keyless entry
Conference on the Theory and Application of
and start systems in modern cars. In 18th Network
Cryptographic Techniques, Advances in Crypto-
and Distributed System Security Symposium (NDSS
logy (EUROCRYPT 2008), volume 4965 of Lecture
2011). The Internet Society, 2011.
Notes in Computer Science, pages 1–8. Springer-
[19] Flavio D. Garcia, Gerhard de Koning Gans, Ruben Verlag, 2008.
Muijrers, Peter van Rossum, Roel Verdult, Ronny
Wichers Schreur, and Bart Jacobs. Dismantling MI- [28] Markus Kasper, Timo Kasper, Amir Moradi, and
FARE Classic. In 13th European Symposium on Christof Paar. Breaking KeeLoq in a flash: on
Research in Computer Security (ESORICS 2008), extracting keys at lightning speed. In 2nd In-
volume 5283 of Lecture Notes in Computer Sci- ternational Conference on Cryptology in Africa,
ence, pages 97–114. Springer-Verlag, 2008. Progress in Cryptology (AFRICACRYPT 2009),
volume 5580 of Lecture Notes in Computer Sci-
[20] Flavio D. Garcia, Gerhard de Koning Gans, and ence, pages 403–420. Springer-Verlag, 2009.
Roel Verdult. Exposing iClass key diversification.
In 5th USENIX Workshop on Offensive Technolo- [29] Keyline. Transponder guide. http://www.keyline.it/
gies (USENIX WOOT 2011), pages 128–136, San files/884/transponder guide 16729.pdf, 2012.
Francisco, CA, USA, 2011. USENIX Association.

[21] Flavio D. Garcia, Gerhard de Koning Gans, Roel [30] Ziv Kfir and Avishai Wool. Picking virtual pockets
Verdult, and Milosch Meriac. Dismantling iClass using relay attacks on contactless smartcard. In 1st
and iClass Elite. In 17th European Symposium on International Conference on Security and Privacy
Research in Computer Security (ESORICS 2012), for Emerging Areas in Communications Networks
Lecture Notes in Computer Science. Springer- (SecureComm 2005), pages 47–58. IEEE Computer
Verlag, 2012. Society, 2005.

[22] Flavio D. Garcia, Peter van Rossum, Roel Verdult, [31] Ilan Kirschenbaum and Avishai Wool. How to
and Ronny Wichers Schreur. Wirelessly pickpock- build a low-cost, extended-range RFID skimmer.
eting a mifare classic card. In 30th IEEE Sym- In 15th USENIX Security Symposium (USENIX Se-
posium on Security and Privacy (S&P 2009), pages curity 2006), pages 43–57. USENIX Association,
3–15. IEEE Computer Society, 2009. 2006.

15
[32] Kerstin Lemke, Ahmad-Reza Sadeghi, and Chris- [42] Mate Soos, Karsten Nohl, and Claude Castelluc-
tian Stble. An open approach for designing se- cia. Extending SAT solvers to cryptographic prob-
cure electronic immobilizers. In Information Secur- lems. In 12th International Conference on The-
ity Practice and Experience (ISPEC 2005), volume ory and Applications of Satisfiability Testing (SAT
3439 of Lecture Notes in Computer Science, pages 2009), volume 5584 of Lecture Notes in Computer
230–242. Springer-Verlag, 2005. Science, pages 244–257. Springer-Verlag, 2009.

[33] Kerstin Lemke, Ahmad-Reza Sadeghi, and Chris- [43] Frank Stajano and Ross J. Anderson. The resurrect-
tian Stüble. Anti-theft protection: Electronic im- ing duckling: Security issues for ad-hoc wireless
mobilizers. Embedded Security in Cars, pages 51– networks. In 7th International Workshop on Se-
67, 2006. curity Protocols (WSP 2000), volume 1796 of Lec-
ture Notes in Computer Science, pages 172–182.
[34] Karsten Nohl. Immobilizer security. In 8th Inter- Springer-Verlag, 2000.
national Conference on Embedded Security in Cars
[44] Siwei Sun, Lei Hu, Yonghong Xie, and Xiangyong
(ESCAR 2010), 2010.
Zeng. Cube cryptanalysis of Hitag2 stream cipher.
In 10th International Conference on Cryptology
[35] Karsten Nohl, David Evans, Starbug, and Henryk
and Network Security (CANS 2011), volume 7092
Plötz. Reverse engineering a cryptographic RFID
of Lecture Notes in Computer Science, pages 15–
tag. In 17th USENIX Security Symposium (USENIX
25. Springer-Verlag, 2011.
Security 2008), pages 185–193. USENIX Associ-
ation, 2008. [45] Petr Štembera and Martin Novotný. Breaking
Hitag2 with reconfigurable hardware. In 14th Eur-
[36] Transponder IC, Hitag2. Product Data Sheet, Nov omicro Conference on Digital System Design (DSD
2010. NXP Semiconductors. 2011), pages 558–563. IEEE Computer Society,
2011.
[37] Hitag pro. Product Data Sheet, 2011. NXP Semi-
conductors. [46] Pang-Chieh Wang, Ting-Wei Hou, Jung-Hsuan Wu,
and Bo-Chiuan Chen. A security module for car ap-
[38] Philippe Oechslin. Making a faster cryptana- pliances. International Journal of World Academy
lytic time-memory trade-off. In 23rd International Of Science, Engineering and Technology, 26:155–
Cryptology Conference, Advances in Cryptology 160, 2007.
(CRYPTO 2003), volume 2729 of Lecture Notes
in Computer Science, pages 617–630. Springer- [47] I.C. Wiener. Philips/NXP Hitag2
Verlag, 2003. PCF7936/46/47/52 stream cipher reference
implementation. http://cryptolib.com/ciphers/hitag2/,
[39] Security transponder plus remote keyless entry – 2007.
Hitag2 plus, PCF7946AT. Product Profile, Jun
[48] Marko Wolf, Andre Weimerskirch, and Thomas
1999. Philips Semiconductors.
Wollinger. State of the art: Embedding security in
vehicles. EURASIP Journal on Embedded Systems,
[40] Amir Rahmati, Mastooreh Salajegheh, Dan Hol-
2007:074706, 2007.
comb, Jacob Sorber, Wayne P. Burleson, and Kevin
Fu. TARDIS: Time and remanence decay in [49] Jung-Hsuan Wu, Chien-Chuan Kung, Jhan-Hao
SRAM to implement secure protocols on embed- Rao, Pang-Chieh Wang, Cheng-Liang Lin, and
ded devices without clocks. In 21st USENIX Secur- Ting-Wei Hou. Design of an in-vehicle anti-theft
ity Symposium (USENIX Security 2012). USENIX component. In 8th International Conference on In-
Association, 2012. telligent Systems Design and Applications (ISDA
2008), volume 1, pages 566–569. IEEE Computer
[41] Andrew Rukhin, Juan Soto, James Nechvatal, Society, 2008.
Miles Smid, Elaine Barker, Stefan Leigh, Mark
Levenson, Mark Vangel, David Banks, Alan Heck-
ert, James Dray, and San Vo. A statistical test
suite for the validation of random number generat-
ors and pseudo random number generators for cryp-
tographic applications. NIST Special Publication,
pages 800–822, 2001.

16

View publication stats

You might also like