Post on 13-Oct-2020
transcript
Car keyless entry system attack
Yingtao Zeng,Qing Yang,Jun LiUnicornTeam,Qihoo360
Passive Keyless Entry System
Image source:http://www.nxp.com/documents/leaflet/75017275.pdf
Normal Authentication Flow
Choose the Suitable Antenna
The 125Khz Carrier Signal
Decode The Data
The Relay Attack Scenario
The Relay Attack Scenario
Noticetherearetimingconstraintsenforced!!!
•
Blue:CC1101Red:EM4095White:AS3933
CH1 CH1CH2CH2
125Khz
125Khz315Mhz
315Mhz
315Mhz
DEMO
DEMO
DEMO
COST
• BQ241701.3• CC11011.3*6• EM40950.6• as39330.95• 125KhzAnt 0.95
• 125Khz3DAnt 2.2• atmega3280p0.75*2• 2.5dbAnt 0.41*6• PCBbord 0.7*2• ~20EUR
ANT2.5DBi~320M
RANGE1
RANGE2
Real world Attack scenarios
CarisparkedinParkinglot/Roadside/etc
Ownner isinHome/Shoppingmall/Starbuck/etc
Oncethecarisstarted,ifthecarisbeingdrivenoutoftherelayrange,thecarwillonlywarningyouthatthekeyfob cannotbedetected,butitwon’tstoptheengine,sothethief(ie .us;))candriveutill outofgas.
Reference• http://ams.com/eng/Products/Wireless-Connectivity/Wireless-Sensor-Connectivity/AS3933• http://cache.nxp.com/documents/leaflet/75017275.pdf?fsrch=1&sr=1&pageNum=1• http://www.nxp.com/documents/leaflet/75017275.pdf• http://www.ti.com/lit/ds/swrs061i/swrs061i.pdf• https://eprint.iacr.org/2010/332.pdf
PossibleCountermeasures?Putthekeyfob insideafaradaycage/bagRemove the batteryStricter timing constraintsFor manufactures:take relative positionbetween the car and keyfob into consideration
Q&A