Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

hitag3

advertisement 
Gone in 360 Seconds:
Hijacking with Hitag2
PREAMBLE
 Electronic vehicle immobilizer - anti-theft device.
 Prevents the engine of the vehicle from starting
unless the corresponding transponder is present.
 Passive RFID tag embedded in the car key
 Hitag2
 Proprietary stream cipher
 48-bit keys for authentication and confidentiality.
Vulnerabilities
 Lack of a pseudorandom number generator renders system susceptible to replay attacks
 Recovery of keystream possible
 One in four authentication attempts leaks one bit
of information about the secret key
 16 bits of information over the secret key are
persistent throughout different sessions.
Hardware Setup
Proxmark III board
 FPGA - Low-level RF operations such as
modulation/demodulation
 Microcontroller - high-level operations like
encoding/decoding of frames
 BPLM – encodes communication from reader to
transponder
 Support for Manchester or Biphase - eavesdrop,
generate, and read communications from reader
to transponder
Functionality
 Public mode – contents of the user data pages are
simply broadcast by the transponder
 Password mode – reader and transponder
password authentication. Replay attack possible.
 Crypto mode – mutual authenticationof reader
and transponder by means of a 48-bit shared key,
encrypted using a proprietary stream cipher.
MEMORY
 256 bits of non- volatile memory (EEPROM)
 Organized in 8 blocks of 4 bytes each.
 In crypto mode –
Communication
 Master-slave principle
 Reader sends a command to the transponder
 Transponder responds after a predefined period of
time
 There are five different commands:
 authenticate, read, read, write, halt.
Cipher
 48-bit linear feedback shift register (LFSR)
 Non-linear filter function f .
 Twenty bits of the LFSR generate one bit of
keystream.
 LFSR shifts one bit to the left
 Uses the generating polynomial to generate a new
bit on the right.
Authentication protocol
Hitag2 weaknesses
 Arbitrary length keystream oracle – Since there is no
challenge from the transponder it is possible to replay any
valid {nR}{aR} pair to the transponder to achieve a successful
authentication.
 Dependencies between sessions – LFSR bits 0 to 15 remain
constant throughout different session which gives a strong
dependency between them.
 Low degree determination of the filter function - with
probability 1/4 the fil- ter function f is determined by the
34-leftmost bits of the internal state.
ATTACKS
 Malleability attack – adversary first acquires keystream.
 Then uses it to read or write any block on the card
 Time/memory tradeoff attack – hinges on the fact that
the linear difference between a state s and its n-th
successor is a combination of the linear differences
generated by each bit.
 Cryptanalytic attack - an attacker can recover the secret
key after gathering a few authentication attempts from a
car.
Starting a car
 In the dashboard of the car there is a slot to insert
the remote and a button to start the engine.
 When a piece of plastic of suitable size is inserted
in this slot the car repeatedly attempts to
authenticate the transponder
 As soon as the car receives a valid identifier, the
dashboard lights up and the LCD screen pops-up
Implementation weakness
 Weak random number generators – most PRNGs
use the time as a seed.
 The time intervals do not have enough precision.
 Multiple authentication attempts within a time
frame of one second get the same random number.
 More than one car may have a PRNG with
dangerously low entropy
Implementation weakness
 Low entropy keys – some cars have repetitive
patterns in their keys
 Vulnerable to dictionary attacks
 Readable keys - remote keyless entry system with
wider range are vulnerable to wireless attacks
 A transponder which is wirelessly accessible over a
distance of several meters and a non protected
readable key
Implementation weakness
 Predictable transponder passwords - use of
default or predictable passwords as transponder
keys, or cryptosystem may get broken
 Identifier pickpocketing – use of a low-frequency
(LF) interface to wirelessly pickpocket the identifier
from the victim’s key.
 Use of wide range ultra-high frequency (UHF)
interface to eavesdrop the transmission of a hybrid
transponder when the victim presses a button on
the remote
Mitigation
 Automotive industry to migrate from weak
proprietary ciphers to ones like AES
 Extend the transponder password
 Delay authentication after failure
 Improve the pseudo-random number generator
where it’s used to generate nonces
QUESTIONS!
Related documents
Qualifier Exam in Information Security Spring 2011
Qualifier Exam in Information Security Spring 2011
Automatic Identification System
Automatic Identification System
DOD AIMS 86-100, Mode 4 Handbook, May 1987
DOD AIMS 86-100, Mode 4 Handbook, May 1987
Deh Cho Bridge Tolling
Deh Cho Bridge Tolling
mode s transponder designed with a software defined radio
mode s transponder designed with a software defined radio
CMD-N Arris Node Transponder
CMD-N Arris Node Transponder
FOX Satellite Program Space Symposium 2011
FOX Satellite Program Space Symposium 2011
FOX Satellite Program Space Symposium 2011
FOX Satellite Program Space Symposium 2011
Chapter 11 HW
Chapter 11 HW
Agile Networks 2.0
Agile Networks 2.0
Systematic Characterization and Calibration of a... Ultrasonic Positioning System for Use in...
Systematic Characterization and Calibration of a... Ultrasonic Positioning System for Use in...
III1__I__Y__~IIIIPI_1__LII~~- _I~-_II.Y
III1__I__Y__~IIIIPI_1__LII~~- _I~-_II.Y
notes - amsatuk.me.uk
notes - amsatuk.me.uk
Media Alert
Media Alert
Davis
Davis
Antenna Pattern Measurement Guide
Antenna Pattern Measurement Guide
Electrical Ground Support System(EGSE) Design for
Electrical Ground Support System(EGSE) Design for
TM 11-5841-268-25 - Liberated Manuals
TM 11-5841-268-25 - Liberated Manuals
Virtual Long Baseline (VLBL) Autonomous Underwater Vehicle
Virtual Long Baseline (VLBL) Autonomous Underwater Vehicle
TM 11-6625-842-15 - Liberated Manuals
TM 11-6625-842-15 - Liberated Manuals
6_ Annex 6 5 - Link Budgets
6_ Annex 6 5 - Link Budgets
Manual - The Pennsylvania Turnpike
Manual - The Pennsylvania Turnpike
Download
advertisement