Gone in 360 Seconds: Hijacking with Hitag2

An electronic vehicle immobilizer is an anti-theft device which prevents the engine of the vehicle from starting unless the corresponding transponder is present. Such a transponder is a passive RFID tag which is embedded in the car key and wirelessly authenticates to the vehicle. It prevents a perpetrator from hot-wiring the vehicle or starting the car by forcing the mechanical lock. Having such an immobilizer is required by law in several countries. Hitag2, introduced in 1996, is currently the most widely used transponder in the car immobilizer industry. It is used by at least 34 car makes and fitted in more than 200 different car models. Hitag2 uses a proprietary stream cipher with 48-bit keys for authentication and confidentiality. This article reveals several weaknesses in the design of the cipher and presents three practical attacks that recover the secret key using only wireless communication. The most serious attack recovers the secret key from a car in less than six minutes using ordinary hardware. This attack allows an adversary to bypass the cryptographic authentication, leaving only the mechanical key as safeguard. This is even more sensitive on vehicles where the physical key has been replaced by a keyless entry system based on Hitag2. During our experiments we managed to recover the secret key and start the engine of many vehicles from various makes using our transponder emulating device. These experiments also revealed several implementation weaknesses in the immobilizer units.

[1]  Eli Biham,et al.  A Practical Attack on KeeLoq , 2008, Journal of Cryptology.

[2]  Flavio D. Garcia,et al.  Wirelessly Pickpocketing a Mifare Classic Card , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[3]  David Evans,et al.  Reverse-Engineering a Cryptographic RFID Tag , 2008, USENIX Security Symposium.

[4]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[5]  Vincent Rijmen,et al.  The Design of Rijndael: AES - The Advanced Encryption Standard , 2002 .

[6]  Martin Novotný,et al.  Breaking Hitag2 with Reconfigurable Hardware , 2011, 2011 14th Euromicro Conference on Digital System Design.

[7]  Joos Vandewalle,et al.  On the time-memory tradeoff between exhaustive key search and table precomputation , 1998 .

[8]  Philippe Oechslin,et al.  Making a Faster Cryptanalytic Time-Memory Trade-Off , 2003, CRYPTO.

[9]  Srdjan Capkun,et al.  Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars , 2010, NDSS.

[10]  Ahmad-Reza Sadeghi,et al.  Anti-theft Protection: Electronic Immobilizers , 2006 .

[11]  Claude Castelluccia,et al.  Extending SAT Solvers to Cryptographic Problems , 2009, SAT.

[12]  Flavio D. Garcia,et al.  Dismantling iClass and iClass Elite , 2012, ESORICS.

[13]  M. Hirano,et al.  Keyless entry system with radio card transponder (automobiles) , 1988 .

[14]  Lei Hu,et al.  Cube Cryptanalysis of Hitag2 Stream Cipher , 2011, CANS.

[15]  Frank Stajano,et al.  The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks , 1999, Security Protocols Workshop.

[16]  Ingrid Verbauwhede,et al.  Power Analysis of Atmel CryptoMemory - Recovering Keys from Secure EEPROMs , 2012, CT-RSA.

[17]  Avishai Wool,et al.  Picking Virtual Pockets using Relay Attacks on Contactless Smartcard , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[18]  Werner Schindler,et al.  Random Number Generators for Cryptographic Applications , 2009, Cryptographic Engineering.

[19]  Gregory V. Bard,et al.  Algebraic and Slide Attacks on KeeLoq , 2008, FSE.

[20]  Andrey Bogdanov,et al.  Linear Slide Attacks on the KeeLoq Block Cipher , 2007, Inscrypt.

[21]  Elaine B. Barker,et al.  A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications , 2000 .

[22]  Christof Paar,et al.  Breaking KeeLoq in a Flash: On Extracting Keys at Lightning Speed , 2009, AFRICACRYPT.

[23]  Martin E. Hellman,et al.  A cryptanalytic time-memory trade-off , 1980, IEEE Trans. Inf. Theory.

[24]  André Weimerskirch,et al.  State of the Art: Embedding Security in Vehicles , 2007, EURASIP J. Embed. Syst..

[25]  Jung-Hsuan Wu,et al.  A Security Module for Car Appliances , 2007 .

[26]  Alex Biryukov,et al.  Cryptanalytic Time/Memory/Data Tradeoffs for Stream Ciphers , 2000, ASIACRYPT.

[27]  Ahmad-Reza Sadeghi,et al.  An Open Approach for Designing Secure Electronic Immobilizers , 2005, ISPEC.

[28]  Gerhard P. Hancke Practical attacks on proximity identification systems , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[29]  Flavio D. Garcia,et al.  A Practical Attack on the MIFARE Classic , 2008, CARDIS.

[30]  Andrey Bogdanov,et al.  On the Security and Efficiency of Real-World Lightweight Authentication Protocols , 2008 .

[31]  Jung-Hsuan Wu,et al.  Design of an In-vehicle Anti-theft Component , 2008, 2008 Eighth International Conference on Intelligent Systems Design and Applications.

[32]  Sika® Armatec®-110 EpoCem Product Data Sheet , 2006 .

[33]  Avishai Wool,et al.  How to Build a Low-Cost, Extended-Range RFID Skimmer , 2006, USENIX Security Symposium.

[34]  Bin Zhang,et al.  Cryptanalysis of the Atmel Cipher in SecureMemory, CryptoMemory and CryptoRF , 2011, ACNS.

[35]  Bart Jacobs,et al.  Dismantling MIFARE Classic , 2008, ESORICS.

[36]  Jean-Jacques Quisquater,et al.  Practical Algebraic Attacks on the Hitag2 Stream Cipher , 2009, ISC.

[37]  T. Tomoda,et al.  Keyless entry system with radio card transponder , 1988 .

[38]  Matthew Green,et al.  Security Analysis of a Cryptographically-Enabled RFID Device , 2005, USENIX Security Symposium.

[39]  Flavio D. Garcia,et al.  Dismantling SecureMemory, CryptoMemory and CryptoRF , 2010, CCS '10.

[40]  Nicolas Courtois,et al.  The Dark Side of Security by Obscurity - and Cloning MiFare Classic Rail and Building Passes, Anywhere, Anytime , 2009, SECRYPT.

[41]  Alex Biryukov,et al.  Improved Time-Memory Trade-Offs with Multiple Data , 2005, Selected Areas in Cryptography.

[42]  Amir Rahmati,et al.  TARDIS: Time and Remanence Decay in SRAM to Implement Secure Protocols on Embedded Devices without Clocks , 2012, USENIX Security Symposium.

[43]  Flavio D. Garcia,et al.  Exposing iClass Key Diversification , 2011, WOOT.