Home > Documents > Car keyless entry system attack - Home - Hack In The Box ... · CH2 CH1 CH2 CH1 125Khz 125Khz 315...

Car keyless entry system attack - Home - Hack In The Box ... · CH2 CH1 CH2 CH1 125Khz 125Khz 315...

Date post: 13-Oct-2020
Category:
Author: others
View: 8 times
Download: 1 times
Share this document with a friend
Embed Size (px)
of 21 /21
Car keyless entry system attack Yingtao Zeng,Qing Yang,Jun Li UnicornTeam,Qihoo360
Transcript
  • Car keyless entry system attack

    Yingtao Zeng,Qing Yang,Jun LiUnicornTeam,Qihoo360

  • Passive Keyless Entry System

    Image source:http://www.nxp.com/documents/leaflet/75017275.pdf

  • Normal Authentication Flow

  • Choose the Suitable Antenna

  • The 125Khz Carrier Signal

  • Decode The Data

  • The Relay Attack Scenario

  • The Relay Attack Scenario

    Noticetherearetimingconstraintsenforced!!!

  • Blue:CC1101Red:EM4095White:AS3933

  • CH1 CH1CH2CH2

    125Khz

    125Khz315Mhz

    315Mhz

    315Mhz

  • DEMO

  • DEMO

  • DEMO

  • COST

    • BQ241701.3• CC11011.3*6• EM40950.6• as39330.95• 125KhzAnt 0.95

    • 125Khz3DAnt 2.2• atmega3280p0.75*2• 2.5dbAnt 0.41*6• PCBbord 0.7*2• ~20EUR

  • ANT2.5DBi~320M

    RANGE1

  • RANGE2

  • Real world Attack scenarios

    CarisparkedinParkinglot/Roadside/etc

    Ownner isinHome/Shoppingmall/Starbuck/etc

    Oncethecarisstarted,ifthecarisbeingdrivenoutoftherelayrange,thecarwillonlywarningyouthatthekeyfob cannotbedetected,butitwon’tstoptheengine,sothethief(ie .us;))candriveutill outofgas.

  • Reference• http://ams.com/eng/Products/Wireless-Connectivity/Wireless-Sensor-Connectivity/AS3933• http://cache.nxp.com/documents/leaflet/75017275.pdf?fsrch=1&sr=1&pageNum=1• http://www.nxp.com/documents/leaflet/75017275.pdf• http://www.ti.com/lit/ds/swrs061i/swrs061i.pdf• https://eprint.iacr.org/2010/332.pdf

  • PossibleCountermeasures?Putthekeyfob insideafaradaycage/bagRemove the batteryStricter timing constraintsFor manufactures:take relative positionbetween the car and keyfob into consideration

  • Q&A


Recommended