Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ryan Kagin University of Illinois Fall 2007

Similar presentations

Presentation on theme: "Ryan Kagin University of Illinois Fall 2007"— Presentation transcript:

1 Ryan Kagin University of Illinois Fall 2007
Keyless Entry Ryan Kagin University of Illinois Fall 2007

2 Overview History Structure Communication protocols
Automobile applications Security issues Case Study: Texas Instruments Device

3 History 1950’s: Garage door openers used one common frequency for all garage doors 1970’s: DIP switches used to vary transceiver / transmitter codes 1993: Lectron’s passive keyless entry for Corvette 1950’s security hole: Large security hole: Anyone could open anyone’s garage door! 1970’s security hole: Not many combinations, vulnerable to replay attack Corvette: Used a motion sensor that triggers CID to transmit authorization code – problem was high cost and low battery life because of continual transmission. Brain 07, Hirano 88 3

4 Comparison Between Garage Doors and Automobile Systems
Garage Door Openers Less security threat One-way communication Simple programming – allow garage door to receive shared key Allow multiple openers for one door Automobile Systems High security threat model Uses combination of one-way and two-way communication Shared key preprogrammed into automobile and key

5 Basic Structure Contains 2 parts: Current designs use:
Transmitter (typically key fob) Receiver (typically automobile) Current designs use: Two way communication LF for sleeping mode 5

6 Communication Protocols
Fixed Code Technique Transmit constant code within certain range, similar to garage door openers in the past. Typically unusued: moved away from this because of scan and replay attacks Alrabady 05 6

7 Communication Protocols
Rolling Code Technique Initially start with 40-bit counter Each communication first transmits counter, then increments it in algorithmic fashion Automobile verifies transmitted code Precautions: padding and “resynchronizing” Padding: the automobile can accept up to 200 future codes based on the shared algorithm “Resynchronizing”: If pressed *201* times or more, there’s a method to sync the keyfob and the automobile Alrabady 05 7

8 Communication Protocols
Challenge-Response Technique Automobile challenges key fob by sending random number Key fob encrypts it and sends it back to automobile Automobile compares for validity Used in remote keyless entry Alrabady 05 8

9 Applications in Automobiles
Three main components: Remote Keyless Entry System (RKE) Also includes passive keyless entry Remote Keyless Ignition System (RKI) Immobilizer (Im) 9

10 Remote Keyless Entry System
A system designed to remotely permit or deny access to premises or automobiles. Typically uses rolling code technique When button is pressed, function code and counter is sent Automobile verifies counter and performs function if correct Alrabady 03 10

11 Passive Keyless Entry Typically uses challenge-response technique
When reaching for door handle, automobile wakes key fob with LF signal Communication begins when pulling commences. Requires fast protocol to prevent mechanical jam. Alrabady 03, 05 11

12 Passive Keyless Entry The key to the protocol:
User pulls door handle Challenge with pseudorandom number Automobile computes expected response Key fob computes response Challenge is done with LF to wake the CID from it’s low power consumption state. If response is valid, automobile performs requested function. Time The key to the protocol: it needs to be fast to prevent mechanical jam 12

13 Remote Keyless Ignition
A system that allows remote communication to start or turn off a car. Also typically uses challenge-response technique Alrabady 03 13

14 Immobilizer An electronic device fitted to an automobile which prevents the engine from running unless the correct key is present. If key fob is not present, then fuel does not get injected into the engine. 14

15 Security Issues Types of attacks: Scan attack – generic brute force
Playback attack – record old messages Two-thief attack – generic man-in-the-middle attack Challenge forward prediction attack – predict future answer from previous Dictionary attack – compile valid pairs Scan attack: Have a fixed code, go up to the car, and try the code after pulling the handle. Playback attack: Record transmitted messages when user initiates communication, and play them back to the car later. Two-thief attack: One next to key fob, one next to car. Pull the handle, get the challenge, send it to the other thief, get the response, send it to the first thief, and open the car. Challenge forward prediction attack: Generate the predicted challenge, go to key fob, get the response, and then go to car and receive the challenge and break in. Dictionary attack: Spam key fob with random challenges and get valid pairs. Then get challenge from car and try hash lookup. Alrabady 05

16 Case Study: TRC1300 Texas Instruments Remote Control Encoders/Decoders
Uses 40-bit rolling code  ~1.1 trillion different potential codes Transmitter sends 40-bit code and function code (up to 15 different codes) Both transmitter and receiver use same pseudorandom number generator

17 Case Study: TRC1300 Precode used to sync decoder and encoder to pick up the clock cycles. Security code used to verify CID. Function code used to determine if two buttons are pressed down or not. Blank time to delineate between frames frames used to limit power consumption.

18 References Marshall Brian, “How Remote Entry Works”, accessed 11 Nov 2007. Ansaf Ibrahem Alrabady and Syed Masud Mahmud, “Some Attacks Against Vehicles’ Passive Entry Systems and Their Solutions”. IEEE Transactions on Vehicular Technology, vol. 52, no. 2, pp , March 2003. Ansaf Ibrahem Alrabady and Syed Masud Mahmud, “Analysis of Attacks Against the Security of Keyless-Entry Systems for Vehicles and Suggestions for Improved Designs. IEEE Transactions on Vehicular Technology, vol. 54, no. 1, pp , January 2005. Xiao Ni and Victor Foo Siang Fook, “AES Security Protocol Implementation for Automobile Remote Keyless System”. IEEE Transactions on Vehicular Technology, vol. 56, no. 3, pp , April 2007. Steve Bono, Matthew Green, Adam Stubblefield, and Avi Rubin, “Analysis of the Texas Instruments DST RFID”, accessed 11 Nov 2007. Texas Instruments, “TRC1300 Specifications”, accessed 11 Nov 2007. M. Hirano, M. Takeuchi, T. Tomoda, and K. Nakano, “Keyless entry system with radio card transponder”, IEEE Transactions on Industrial Electronics and Control, vol. 35, no. 2, pp , March 2007. 18

Download ppt "Ryan Kagin University of Illinois Fall 2007"

Similar presentations

Ads by Google