Fast, Furious and Insecure: Passive Keyless Entry and Start Systems in Modern Supercars
Fast, Furious and Insecure: Passive Keyless Entry and Start Systems in Modern Supercars
Fast, Furious and Insecure: Passive Keyless Entry and Start Systems in Modern Supercars
Abstract. The security of immobiliser and Remote Keyless Entry systems has been
extensively studied over many years. Passive Keyless Entry and Start systems, which
are currently deployed in luxury vehicles, have not received much attention besides
relay attacks. In this work we fully reverse engineer a Passive Keyless Entry and
Start system and perform a thorough analysis of its security.
Our research reveals several security weaknesses. Specifically, we document the use of
an inadequate proprietary cipher using 40-bit keys, the lack of mutual authentication
in the challenge-response protocol, no firmware readout protection features enabled
and the absence of security partitioning.
In order to validate our findings, we implement a full proof of concept attack allowing
us to clone a Tesla Model S key fob in a matter of seconds with low cost commercial
off the shelf equipment. Our findings most likely apply to other manufacturers of
luxury vehicles including McLaren, Karma and Triumph motorcycles as they all use
the same system developed by Pektron.
Keywords: Passive Keyless Entry and Start, reverse engineering, Digital Signature
Transponder
Introduction
The first Remote Keyless Entry (RKE) system for cars was introduced by Renault in
1982 [Smi16]. Back then these systems used infrared instead of Radio Frequency (RF)
transmissions. Nowadays, vehicles are typically equipped with a RKE system and often
include a Passive Keyless Entry (PKE) system. The former allows users to lock and
unlock their vehicle by the press of a button on a key fob. The latter unlocks the vehicle
automatically when the key fob is in its close proximity.
Additionally, cars employ an immobilizer system that verifies the legitimacy of the
user’s key fob before starting the engine. According to Van Ours and Vollaard, the use of
immobilizer systems reduced the number of car thefts significantly [vOV16]. Immobilizers
are usually implemented using a cryptographically enabled Radio-Frequency IDentification
(RFID) device embedded in the key fob. The first family of such RFID chips was introduced
by Texas Instruments in 1995. These Digital Signature Transponders (DST) relied on the
proprietary DST40 cipher [Kai08].1
While traditionally keyless entry and immobilization were two separate systems, nowa-
days luxury cars often combine these features into a single Passive Keyless Entry and Start
1 RFID chips are sometimes also called RFID transponders and we will use both terms interchangeably.
(PKES) system. This allows to unlock the vehicle and disengage the immobilizer without
any user interaction. The move towards PKES systems results in higher convenience for
users but could also facilitate certain attacks as no interaction of the legitimate user is
required. For example, recent reports have shown car thieves using relay attack systems
which can be purchased online [FDC11, YZL17, Pol17, AC17].
Contributions
The main contributions of our work are twofold.
• Security analysis. We provide the reader with a detailed explanation of our reverse
engineering efforts and protocol analysis. By doing so we identify multiple security
issues in the PKES system designed by Pektron such as the use of an inadequate
proprietary cipher, the lack of mutual authentication in the challenge-response
protocol, no firmware readout protection features enabled and the absence of security
partitioning. Additionally, we explore the feasibility of a car-only attack, i.e. without
access to the key fob.
• Proof of Concept attack. The combination of the identified issues allows for a
very efficient attack. We implement a Proof of Concept (PoC) attack allowing us to
clone the key fob of high-end vehicles such as the Tesla Model S using Commercial
Off The Shelf (COTS) equipment in seconds.2 We are hence able to unlock and start
the vehicle at any time.
Structure
The remainder of this paper is structured as follows. We start by discussing the related
work in Section 1. In Section 2 we discover publicly undocumented commands in Texas
Instruments DST transponders. In Section 3 we reverse engineer the PKES system followed
by a security analysis in Section 4. In Section 5 we implement a full PoC attack on this
PKES system allowing us to clone and emulate a target key fob. Additionally, we share
our experience with notifying the affected manufacturers in Section 6 and explore potential
mitigation strategies in Section 7. Finally, in Section 8 we conclude this manuscript.
1 Related work
Over the years, researchers have shown that manufacturers often rely on proprietary ciphers
for their keyless entry and immobilizer systems. The proprietary DST40 cipher was reverse
engineered by Bono et al. back in 2005 [BGS+ 05]. Subsequently, the authors constructed
a key cracker using 16 FPGAs allowing the recovery of the 40-bit cryptographic key from
two challenge-response pairs in less than one hour. At the time of their research, DST40
was used in an estimated 150 million vehicle immobilizers and 7 million Speedpass tags for
Exxon Mobil’s payment system.
2 We provide a proof of concept video at: https://www.youtube.com/watch?v=aVlYuPzmJoY
68 Passive Keyless Entry and Start Systems in Modern Supercars
The only publicly known attack on DST40’s successor DST80 is a physically invasive
downgrade attack using a laser and probing station [HT15]. In addition, it requires
prolonged physical access to the victim’s key fob, expensive equipment and a skilled
operator. It is important to note that these researchers had access to the specifications of
DST80 during the development of their attack [dst].
Bogdanov was the first to analyze and conduct attacks on the proprietary KeeLoq block
cipher owned by Microchip [Bog07]. A more practical algebraic attack was introduced by
Indesteege et al. in 2008 [IKD+ 08]. This attack required 65 minutes of access to the victim’s
key fob in order to collect the necessary plaintext-ciphertext pairs for recovering the key.
Eisenbarth et al. presented a Differential Power Analysis (DPA) attack on a Microchip
HCS encoder requiring only ten power traces [EKM+ 08]. In 2009 Kasper et al. introduced
a Simple Power Analysis (SPA) attack on a KeeLoq software implementation [KKMP09].
This led them to recover the manufacturer key from a single power trace.
In 2012 Verdult et al. executed multiple cryptanalytic attacks on the Hitag2 stream
cipher used in NXP transponders [VGB12]. The details of this cipher were previously
published in [Wie07]. Their attacks allow to recover the 48-bit key in less than 360 seconds.
Despite these attacks, Hitag2 is still widely used in vehicle immobilizers and RKE systems.
In 2013 Verdult et al. reverse engineered the Megamos Crypto cipher from an automotive
key programmer’s software. Furthermore, they proposed practical attacks on both the
cipher and the authentication protocol [VGE13].
In addition to the weaknesses identified at the cryptographic primitive level, manufac-
turers often neglect key management. Garcia et al. conducted a security analysis of multiple
keyless entry systems used by the Volkswagen Group between 1995 and 2016 [GOKP16].
Their findings revealed that some of these systems rely on a single master key which can be
retrieved using commercial programmers. This flaw enables adversaries to clone a key fob
after eavesdropping on a single transmission. The authors also proposed a novel attack on
a Hitag2-based rolling code scheme used by several car manufacturers. This attack requires
eavesdropping on 4–8 transmissions and about one minute of computation. Benadjila et al.
analyzed a variant of this Hitag2-based rolling code scheme which is not susceptible to the
attack proposed by Garcia et al. They propose an attack through which it is possible to
forge valid packets without needing to retrieve the cryptographic key; this attack requires
eavesdropping on two legitimate transmissions [BRLK17].
Even if strong cryptographic primitives with unpredictable random keys are used,
attacks that exploit weaknesses in the protocol such as relay attacks and eavesdropping-
and-jamming may still be possible. The former can be executed by relaying the messages
exchanged between genuine devices [FDC11, YZL17]. The latter can compromise the
security of rolling-code-based systems by capturing a valid message while jamming it
such that the legitimate device is unable to receive it [Kam15, KKMP09]. By repeatedly
eavesdropping-and-jamming valid messages and transmitting the previously recorded
message, adversaries always have one valid rolling code that will be accepted by the
victim’s car.
0 8 16 24 32 40 48 56 64
Figure 1: The SPI frame structure. All frames sent to the DST chip include a length
(LEN) and command (CMD) field. Some of these frames additionally require write access
(WA) and/or data fields. For a specific set of commands, the DST chip will reply with a
few data bytes (e.g. in the case of an EEPROM read or response request).
microcontroller can interact with the TMS37126 using SPI [MWC12]. For example, it
illustrates the SPI frame structure and shows how to interact with the chip to execute
DST40.
This section covers the techniques we used to identify publicly undocumented SPI
commands. Our initial goal was to learn more about the functionality provided by these
transponders and to identify the command used to perform DST80.
Figure 2: X-ray image of the Texas Instruments TMS37F128. From this image one can
identify two dies interconnected by five bond wires. Better viewed on-screen.
some minor differences. A description of this algorithm is out-of-scope for this paper and is not included.
Lennert Wouters, Eduard Marin, Tomer Ashur, Benedikt Gierlichs and Bart Preneel 71
Figure 3: The Tesla Model S key fob PCB with the TMS37F128 chip in the middle. The
square shaped pads at the top can be used to connect an MSP430 compatible JTAG
debugger.
Binary Ninja [Vec] in combination with the MSP430 plugin [Jos]. In this stage the goal
was to get a high level overview of the firmware and to identify the routines to be more
closely investigated in stage two. Static analysis involves many hours of reading assembly
code, but some information can be taken into account while trying to identify routines of
interest [SG16].
The Interrupt Vector Table (IVT), which is stored at the end of the program memory,
enabled us to identify the routines that are executed when an interrupt occurs. Using the
information from this table we were able to identify the entry point to the firmware image
as well as the routines that handle the press of a button on the key fob. Special Function
Registers (SFR) can also be used to identify routines of interest. As we are interested
in the SPI communication we searched for references to the address of the SPI transmit
buffer. Using these techniques we were able to identify a few routines to be analyzed in
stage two.
The second stage is dynamic firmware analysis. This analysis involved debugging a
real Tesla Model S key fob using the Olimex debugger and the MSPdebug software. The
MSP430F1232 supports up to two breakpoints that can be used to halt the processor at
certain addresses. When the processor is halted we can inspect the contents of the registers
and dump the memory, this is very useful when trying to understand the firmware. For
example, by setting breakpoints at the start and end of the SPI routine we could easily
identify the bytes being sent and received by the MSP430 microcontroller. In fact, we used
this method to identify all the SPI commands that are used during nominal operation of
the key fob.
As was already mentioned, we expected the microcontroller to query the transponder
for a DST80 response; to our surprise we found that the microcontroller was using only
one of the four cipher commands (0x86) identified in Section 2.1. Additionally, we had
already identified this particular command to be the DST40 compression function.
Using a 40-bit cipher today results in inadequate security levels as even an exhaustive
search is feasible in a reasonable amount of time; Bono et al. demonstrated this in
2005 [BGS+ 05] (see also Section 5.1). While cryptanalysis might reveal weaknesses that
further reduce the security of the cipher, it is a time consuming and unnecessary process for
a 40-bit key. In the case of DST40 an exhaustive search will require two challenge-response
pairs to recover the correct key as the challenge (40-bit) is larger than the response (24-bit).
In Section 5.1 we show how a vulnerability in the PKES protocol can be exploited by
a Time-Memory Trade-Off attack allowing key recovery in a matter of seconds.
72 Passive Keyless Entry and Start Systems in Modern Supercars
In order to understand and analyze the RF protocol used in the PKES system we need to
be able to receive and transmit with the same physical layer properties as the car and key
fob. The vehicle transmits data over Low Frequency (LF) (134.2 kHz) to the key fob which
replies over Ultra High Frequency (UHF) (433.92 MHz). The remainder of this subsection
will describe how we built transceivers capable of emulating both the car and key fob.
According to [MWC12] the vehicle uses Burst Width Modulation (BWM). This is also
known as Binary Pulse Length Modulation (BPLM) [GPHM10] or Pulse Position Modula-
tion (PPM) [Tex09]. In this modulation scheme bits are encoded by the period during
which the carrier is modulated. Bits are separated by a fixed period in which the carrier is
unmodulated.
We used a Proxmark III RFID security research tool [GdKGV12] to receive and transmit
LF signals, as it supports the 134.2 kHz operating frequency. During this research we
had full-time access to a spare Tesla Model S key fob but only limited access to a vehicle.
Because of this we first implemented car impersonation, allowing us to use a second
Proxmark III to implement receiving.
We configured the Proxmark’s relay and multiplexer to use the low frequency peak
detect circuit and configured the FPGA to use the peak detection algorithm implemented
by iZsh [fai14]. Using one of the microcontroller’s timers the number of clock cycles
between pulses can be counted in order to demodulate the received signal to bits. While
this implementation could successfully receive frames transmitted by a Proxmark it did
not allow us to receive frames transmitted by the car.
The peak detect circuit on the Proxmark III is implemented using a diode, causing
a voltage drop. This voltage drop in combination with the low received signal strength
caused all information to be lost before entering the 8-bit Analog-to-Digital Converter
(ADC), making it impossible for the FPGA to detect any peaks. To overcome this issue,
we soldered a wire from the output of the low frequency raw input path amplifier to the
input of the peak detect circuit. This effectively amplifies the signal before it reaches
the analog peak detect circuit. Afterwards we reconfigured the relay and multiplexer in
software to accommodate for this change. Additionally, we wrote our own peak detect
Verilog code for the FPGA. Our peak detection algorithm allows to more reliably receive
transmissions sent by the vehicle over longer distances. However, it is less sophisticated
and more application specific compared to the peak detection algorithm implemented by
iZsh [fai14]. A complete overview of the implemented demodulation mechanism using the
Proxmark III is provided in Appendix C.
We used a software defined radio dongle in order to determine the physical layer param-
eters such as the operating frequency (433.9 2MHz), symbol rate (2550 symbols/s) and
modulation (Amplitude Shift Keying (ASK)). We refer the reader to [Oss16] for more
information on the employed techniques.
Using the obtained physical layer parameters we configured a YARD Stick One [Gad]
radio transceiver using the RfCat Python library [atl]. This allows us to send and receive
data using the same physical layer parameters as the Tesla Model S key fob.
Lennert Wouters, Eduard Marin, Tomer Ashur, Benedikt Gierlichs and Bart Preneel 73
4 Protocol analysis
The analyzed key fobs use two communication protocols. The most frequently used one is
the PKES system in which the legitimate key fob automatically engages in a challenge-
response protocol with the car (two-way communication). Secondly, the user can lock and
unlock the car, open and close the trunk and open the front storage compartment or frunk
of the car by the press of a button (one-way communication). In this section we explain
how we reverse engineered both protocols used in the Tesla Model S vehicles.
wake1
reply1
40-bit challenge
24-bit response
wake2
reply2
40-bit challenge
24-bit response
wake3
reply3
Figure 4: The PKES protocol during nominal operation assuming the key fob is in range
of the car.
We created a Python framework handling both the Proxmark III and YARD Stick
One, allowing us to receive all communications exchanged by vehicle and key fob during
passive entry and passive start.
Figure 4 gives an overview of the PKES protocol during nominal operation. Our
experiments on two different Tesla Model S vehicles show that the general structure of
0 8 16 24 32 40 48 56 64
Figure 5: The structure of LF frames transmitted by the car. The 2-byte car ID is followed
by a command byte, in case of a response request an additional challenge is concatenated.
74 Passive Keyless Entry and Start Systems in Modern Supercars
LF frames is as outlined in Figure 5. The car periodically sends one of four 3-byte wake
frames consisting of a 2-byte car identifier and a command byte. If the key fob is in range
it receives this wake message and replies with a 3-byte frame that is fixed yet unique for
each of the four wake messages. Our experiments show that the correct reply to a given
wake message can be easily calculated as the latter is an obfuscated version (using byte
swaps and logical shifts) of the former.
The car verifies this reply and transmits an 8-byte frame consisting of the 2-byte car
identifier, a command byte and a 5-byte challenge. In turn the key fob uses this challenge
in the DST40 compression function to produce a 24-bit response before transmitting it over
UHF. The vehicle verifies the response and, if successful, unlocks the doors. Afterwards
the car and key fob engage in a keep-alive protocol in which the car repeatedly transmits
one of the four wake messages to which the key fob replies. Once the driver presses down
on the brake pedal to start the vehicle the key fob again authenticates to the vehicle using
the same challenge-response protocol described above. This second authentication serves
as the immobilizer; it uses the same 40-bit cryptographic key used for opening the car.
As there is no mutual authentication in the protocol the key fob replies to any challenge
it receives as long as the frame format is correct. This allows for a chosen input attack
which we exploit in our PoC. Additionally, as there is no security partitioning, recovering a
single 40-bit key allows an adversary to both unlock the vehicle and start it. Furthermore,
the protocol does not implement any distance bounding mechanisms and is thus vulnerable
to a relay attack. This was confirmed in practice during a recent study by the Allgemeiner
Deutscher Automobil-Club [AC17].
in any way. If the adversary succeeds in obtaining a valid lock command he would be able
to unlock the car by changing the action byte before transmission.
to the legitimate key fob for a few seconds (e.g. walking by the target) in order to acquire
the two challenge-response pairs.
Phase 2: Key recovery. During the second phase the adversary recovers the 40-bit
key from these two challenge-response pairs.
Phase 3: Key fob impersonation. After recovering the 40-bit key, the adversary
proceeds to mimic the behavior of the victim’s key fob to unlock and start the target
vehicle.
For Phases 1 and 3 of the proposed attack we made minor modifications to our protocol
analyzer. Phase 1 is possible due to the lack of mutual authentication in the protocol. Our
implementation of Phase 2 is now explained in detail.
6 Vendor notification
Uncovering vulnerabilities in commercial products always poses a dilemma. On the one
hand, announcing the weakness publicly allows third parties to exploit it. On the other
hand, hiding it provides no guarantees that it will not be discovered by the less benevolent
(or worse, that it already has been discovered and is being exploited). To address this,
mechanisms for responsible disclosure of security vulnerabilities have been put into place to
ensure proper handling. In what follows, we describe the disclosure procedure we followed.
5 One of these cars was provided by Tesla Motors’s engineering team for the demonstration of the
attack.
Lennert Wouters, Eduard Marin, Tomer Ashur, Benedikt Gierlichs and Bart Preneel 77
Figure 6: The entire attack platform. Consisting of a Yard Stick one, Proxmark III,
Raspberry Pi 3 Model B+, a battery pack and a 6 TB hard drive.
We first contacted Tesla Motors about these issues on August 31 2017 as per their
responsible disclosure guidelines.6 They provided an initial confirmation of receipt of
our email and requested further details on the reported issue. After providing them the
requested details, as well as a video of our PoC, they investigated the issue internally and
confirmed our findings. At a later stage a Tesla Motors security engineer came to visit us
to get a better understanding of the impact of our findings. To that end we successfully
demonstrated our attack on one of their engineering vehicles. Additionally, we informed
Texas Instruments of our findings related to their TMS37126 and TMS37F128 chips.
In parallel, when we found out that Tesla Motors did not build this PKES system
themselves, we contacted both their supplier, Pektron, and other potentially affected
manufacturers including McLaren, Karma and Triumph. Initially none of them replied to
our emails. After a few months and multiple attempts to make contact we did receive a
reply from McLaren and Karma. In both cases we provided the manufacturers with an
early version of this paper. Karma thanked us without further questions and McLaren
was no longer interested in communicating about the issue once we made clear we would
not be removing their name from this paper.
The findings in this paper are already public at the time of submission. We collected the
manufacturers’ public statements in Appendix A. All manufacturers, except for Pektron
and Karma, seem to have made a public statement. While Triumph never replied to
any of our emails they did give an official statement to journalists. Their statement
acknowledges we contacted them but indicates that they believe our attack to be a relay
attack. McLaren’s statement indicates that they read our paper as they mention the
theoretical car-only attack described in Section 4.3. However, they do not seem to consider
the most relevant attack vector.
BUSY
EOBA
44 37 36 23
MISO
MOSI
DST MSP430
CLK
1 22
LF UHF
Figure 7: A schematic overview of the TMS37F128 package with the DST co-processor
and MSP430 microcontroller. During nominal operation a challenge is receiver over LF
and communicated to the MSP430 using the EOBA pin. Afterwards, the microcontroller
sends it to the transponder over SPI after which it transmits the returned response over
UHF.
of information, some of our proposals may not be feasible in practice. In the remainder
of this section we assume that the BCM can be updated Over-The-Air (OTA) whereas
the key fob will have to be reprogrammed using JTAG or replaced by the manufacturer.
Furthermore, as advertised, we assume that the TMS37F128 chips can perform the DST80
operation.
Intuitively, the easiest mitigation strategy would be to upgrade to DST80 since it would
require only minor modifications in both the BCM and key fob firmware. If the DST80
cipher indeed offers 80 bits of security, it would preclude exhaustive search and TMTO
attacks for opponents with moderate budgets. While this solution would not require any
changes to the key fob hardware it does rely on the proprietary DST80 cipher which has
not received any public scrutiny. This is therefore only a short term solution, no new
vehicle or other product should rely on DST80 for security.
As DST80 is a proprietary cipher it would be worth exploring the possibility of
implementing a lightweight, secure cryptographic cipher in the MSP430 firmware. In such
case, the DST chip would be used only for its LF analog front-end and EEPROM storage.
This is possible since the DST chip receives the challenge transmitted by the car and sends
it to the MSP430 microcontroller using the EOBA pin, as shown in Figure 7. Afterwards,
the microcontroller sends the challenge back to the DST chip over SPI in order to get a
DST40 response which is transmitted over UHF. However, this approach would require
careful implementation and a certain expertise to not introduce new vulnerabilities.
In addition to upgrading the cipher suite, the communication protocols should be
updated. For example, the challenge-response protocol should include mutual authentica-
tion. According to the public information provided by Texas Instruments [Tex12c], mutual
authentication is supported.
The RKE protocol should be modified to authenticate the desired action in order to
make jamming and eavesdropping attacks harder to execute in practice. Additionally, it
would be desirable to introduce some partitioning in the system. If the DST transponder
allows to set multiple 80-bit keys the system should use independent random cryptographic
keys for unlocking and starting the vehicle.
Lennert Wouters, Eduard Marin, Tomer Ashur, Benedikt Gierlichs and Bart Preneel 79
Public information shows that Tesla introduced an OTA update that allows users to
disable the passive entry functionality and to enable Pin to Drive [Gre18]. Additionally,
all Tesla Model S vehicles produced from June 2018 onward use a newer key fob, existing
Tesla Model S owners can purchase the upgraded key fobs.
8 Conclusion
We analyzed the PKES system used in some of the most advanced cars on the market. Our
evaluation revealed that this system relies on a 40-bit proprietary cipher to unlock and
start the vehicle, and reuses the same 40-bit key for both functions. Therefore, there is no
security partitioning in this system. In addition to being vulnerable to relay attacks, the
protocol does not implement mutual-authentication enabling us to execute a chosen input
attack. The presented PoC attack allows us to clone a target key fob in a matter of seconds
using low cost equipment. Additionally, we discovered publicly undocumented commands
in the chips used by this system which are likely used for the proprietary DST80 cipher.
Despite extensive effort from the security research community to show the insecurities
associated with proprietary ciphers they are still used today. DST40 was first shown to
be insecure in 2005, yet fourteen years later it is still being used in high-end vehicles.
We would like to emphasize that there is no good reason to use proprietary ciphers over
well-scrutinized cryptographic primitives. For example, Texas Instruments offers similar
products using the AES [Ins13].
Furthermore, the secrecy of datasheets only hinders adversaries, security researchers
and professionals and does not provide real security. The fact that these datasheets are
secret makes it more difficult for any car manufacturer to conduct a thorough review of
the system they purchased from a third party. One can only wonder which additional
vulnerabilities could be revealed if these datasheets were ever leaked.
Additionally, we would like to encourage vehicle manufacturers to work more closely
with their supplier in order to prevent these issues in the future. Moreover, any company
that produces security and safety critical products should have a publicly documented
procedure for security researchers to report vulnerabilities.
Acknowledgments
The authors would like to thank Johan Vanhulst from the KU Leuven Department of
Materials Engineering for helping us with making the X-ray images, and Bert Deknuydt for
maintaining the computation pool at the KU Leuven Department of Electrical Engineering.
Furthermore we would like to thank Tesla Motors for constructive discussions during the
proper responsible disclosure procedure, and Amit Elazari as well as our university’s legal
department for assisting with legal and ethical disclosure questions. Finally, we would like
to thank the car owners who gave us permission to perform tests on their vehicles.
This work was supported in part by the Research Council KU Leuven: C16/15/058,
the Flemish Government through FWO Sancus G.0876.14N, by the Hercules Founda-
tion AKUL/11/19, through the Horizon 2020 research and innovation programme un-
der grant agreement Cathedral ERC Advanced Grant 695305, under grant agreement
H2020-FETFLAG-2018-03-820405 QRANGE, under grant agreement H2020-DS-LEIT-
2017-780108 FENTEC and the NIST project.
80 Passive Keyless Entry and Start Systems in Modern Supercars
References
[AC17] ADAC Allgemeiner Deutscher Automobil-Club. Weiterhin Sicherheitslücke
bei Komfortschlüsseln - Fahrzeuge mit Keyless leichter zu klauen.
https://www.adac.de/infotestrat/technik-und-zubehoer/
fahrerassistenzsysteme/keyless/, 2017. [Online; accessed 06-February-
2018].
[BGS+ 05] Steve Bono, Matthew Green, Adam Stubblefield, Ari Juels, Aviel D Rubin,
and Michael Szydlo. Security Analysis of a Cryptographically-Enabled RFID
Device. In USENIX Security Symposium, volume 31, pages 1–16, 2005.
[Bog07] Andrey Bogdanov. Linear Slide Attacks on the KeeLoq Block Cipher. In
Dingyi Pei, Moti Yung, Dongdai Lin, and Chuankun Wu, editors, Information
Security and Cryptology, Third SKLOIS Conference, Inscrypt 2007, Xining,
China, August 31 - September 5, 2007, Revised Selected Papers, volume 4990
of Lecture Notes in Computer Science, pages 66–80. Springer, 2007.
[BRLK17] Ryad Benadjila, Mathieu Renard, José Lopes-Esteves, and Chaouki Kasmi.
One Car, Two Frames: Attacks on Hitag-2 Remote Keyless Entry Systems
Revisited. In William Enck and Collin Mulliner, editors, 11th USENIX
Workshop on Offensive Technologies, WOOT 2017, Vancouver, BC, Canada,
August 14-15, 2017. USENIX Association, 2017.
[Dow18] Alan Dowds. Triumph issues advice to prevent keyless ignition hacking.
https://www.visordown.com/news/general/triumph-issues-advice-
prevent-keyless-ignition-hacking, 2018. [Online; accessed 21-Nov-
2018].
[EKM+ 08] Thomas Eisenbarth, Timo Kasper, Amir Moradi, Christof Paar, Mahmoud
Salmasizadeh, and Mohammad T. Manzuri Shalmani. On the Power of Power
Analysis in the Real World: A Complete Break of the KeeLoqCode Hopping
Scheme. In David A. Wagner, editor, Advances in Cryptology - CRYPTO
2008, 28th Annual International Cryptology Conference, Santa Barbara, CA,
USA, August 17-21, 2008. Proceedings, volume 5157 of Lecture Notes in
Computer Science, pages 203–220. Springer, 2008.
[fai14] RFID hacking preamble: a new peak detection for the proxmark3.
https://fail0verflow.com/blog/2014/proxmark3-fpga-peak-
detection/, 2014. [Online; accessed 7-May-2018].
[fcc12] OET Exhibits List for FCC ID AQO002. fcc.io/AQO002, 2012. [Online;
accessed 7-May-2018].
[FDC11] Aurélien Francillon, Boris Danev, and Srdjan Capkun. Relay Attacks on
Passive Keyless Entry and Start Systems in Modern Cars. In Proceedings
of the Network and Distributed System Security Symposium, NDSS 2011,
San Diego, California, USA, 6th February - 9th February 2011. The Internet
Society, 2011.
Lennert Wouters, Eduard Marin, Tomer Ashur, Benedikt Gierlichs and Bart Preneel 81
[Gad] Great Scott Gadgets. YARD Stick One - a sub-1 GHz wireless test tool
controlled by your computer.
https://greatscottgadgets.com/yardstickone/. [Online; accessed 7-May-
2018].
[GdKGV12] Flavio D Garcia, Gerhard de Koning Gans, and Roel Verdult. Tutorial:
Proxmark, the swiss army knife for RFID security research. Technical Report,
Radboud University Nijmegen, 2012.
[GOKP16] Flavio D. Garcia, David Oswald, Timo Kasper, and Pierre Pavlidès. Lock It
and Still Lose It - on the (In)Security of Automotive Remote Keyless Entry
Systems. In Thorsten Holz and Stefan Savage, editors, 25th USENIX Security
Symposium, USENIX Security 16, Austin, TX, USA, August 10-12, 2016.,
pages 929–944. USENIX Association, 2016.
[Goo08] Travis Goodspeed. Practical attacks against the msp430 bsl. In Twenty-Fifth
Chaos Communications Congress. Berlin, Germany, 2008.
[GPHM10] Jim Goings, Toby Prescott, Michael Hahnen, and Karl Militzer. Design and
Security Considerations for Passive Immobilizer Systems, 2010.
[Gre18] Andy Greenberg. Hackers can steal a tesla model s in seconds by clonign its
key fob.
https://www.wired.com/story/hackers-steal-tesla-model-s-seconds-
key-fob/, 2018. [Online; accessed 11-Sep-2018].
[IKD+ 08] Sebastiaan Indesteege, Nathan Keller, Orr Dunkelman, Eli Biham, and Bart
Preneel. A Practical Attack on KeeLoq. In Nigel P. Smart, editor, Advances
in Cryptology - EUROCRYPT 2008, 27th Annual International Conference on
the Theory and Applications of Cryptographic Techniques, Istanbul, Turkey,
April 13-17, 2008. Proceedings, volume 4965 of Lecture Notes in Computer
Science, pages 1–18. Springer, 2008.
[Kai08] Ulrich Kaiser. Digital Signature Transponder. In Paris Kitsos and Yan Zhang,
editors, RFID Security: Techniques, Protocols and System-on-Chip Design,
pages 177–189. Springer US, Boston, MA, 2008.
[KKMP09] Markus Kasper, Timo Kasper, Amir Moradi, and Christof Paar. Breaking
KeeLoq in a Flash: On Extracting Keys at Lightning Speed. In Bart Preneel,
editor, Progress in Cryptology - AFRICACRYPT 2009, Second International
82 Passive Keyless Entry and Start Systems in Modern Supercars
A Vendor responses
A.1 Tesla Motors
"Due to the growing number of methods that can be used to steal many kinds
of cars with passive entry systems, not just Teslas, we’ve rolled out a number
of security enhancements to help our customers decrease the likelihood of
unauthorized use of their vehicles.
None of these options would be possible for any traditional automaker – our
ability to update software over the air to improve functionality and security is
unique.
Based on the research presented by this group, we worked with our supplier
to make our key fobs more secure by introducing more robust cryptography
for Model S in June 2018. A corresponding software update for all Model S
vehicles allows customers with cars built prior to June to switch to the new
key fobs if they wish.
In addition, we had already been working on several other over-the-air updates
to help protect our customers from thefts – last year we introduced an update
that allows all customers to turn off passive entry entirely, and this year we
introduced PIN to Drive, which allows customers to set a unique PIN that
needs to be entered before their vehicle is driven." [Gre18]
B Example schematic
The schematic in Figure 8 allows one to connect a TMS37126 IC to an Arduino Pro Mini
(3.3 V, 8 MHz). D2, D5, D11, D12 and D13 refer to digital pins on the Arduino board.
Figure 8: The correct pinout for the TMS37126 ICs we tested and an example schematic
of how to connect it to an Arduino Pro Mini.
Figure 9: The first (top) plot shows the analog signal received by the antenna (measured
at TP2). The second plot shows the analog signal after passing through the Proxmark’s
LORAW receive path (measured at C41). The third plot shows the result of the Proxmark’s
analog peak detect circuit (measured at TP1), this analog signal is digitized by an 8-bit
ADC, the output of which is processed by the FPGA to produce the final digital peak
detect signal (measured at TP7). This signal is processed by the microcontroller and
results in the demodulated signal.