Scribd Logo
Upload

Welcome to Scribd!

  • D2T2 - Yingtao Zeng, Qing Yang and Jun Li - Car Keyless Entry System Attacks

    Uploaded by

    Easy Writer
    1K views21 pages
    This document summarizes a keyless entry car system attack using a relay technique. It describes how passive keyless entry systems authenticate cars through radio frequency signals and outlines a scenario where two attackers use inexpensive hardware and antennas to relay these signals across a large distance, tricking the car into opening when the actual key is far away. It then demonstrates this attack in real world scenarios, discusses potential countermeasures like using Faraday cages or stricter timing constraints, and references further technical documents on the hardware components used.

    Original Description:

    HackKey Document

    Original Title

    D2T2 - Yingtao Zeng, Qing Yang and Jun Li - Car Keyless Entry System Attacks (1)

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document summarizes a keyless entry car system attack using a relay technique. It describes how passive keyless entry systems authenticate cars through radio frequency signals and outlines a scenario where two attackers use inexpensive hardware and antennas to relay these signals across a large distance, tricking the car into opening when the actual key is far away. It then demonstrates this attack in real world scenarios, discusses potential countermeasures like using Faraday cages or stricter timing constraints, and references further technical documents on the hardware components used.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    1K views21 pages

    D2T2 - Yingtao Zeng, Qing Yang and Jun Li - Car Keyless Entry System Attacks

    Uploaded by

    Easy Writer
    This document summarizes a keyless entry car system attack using a relay technique. It describes how passive keyless entry systems authenticate cars through radio frequency signals and outlines a scenario where two attackers use inexpensive hardware and antennas to relay these signals across a large distance, tricking the car into opening when the actual key is far away. It then demonstrates this attack in real world scenarios, discusses potential countermeasures like using Faraday cages or stricter timing constraints, and references further technical documents on the hardware components used.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 21

    Car keyless entry system attack

    Yingtao Zeng,Qing Yang,Jun Li


    UnicornTeam,Qihoo360
    Passive Keyless Entry System

    Image source:http://www.nxp.com/documents/leaflet/75017275.pdf
    Normal Authentication Flow
    Choose the Suitable Antenna
    The 125Khz Carrier Signal
    Decode The Data
    The Relay Attack Scenario
    The Relay Attack Scenario

    Notice there are timing


    constraints enforced!!!

    Blue:CC1101
    Red:EM4095
    White:AS3933
    315
    Mhz
    125Khz

    315 315
    Mhz CH2 CH1 Mhz CH2 125Khz CH1
    DEMO
    DEMO
    DEMO
    COST
    • BQ24170 1.3 • 125Khz 3D Ant 2.2
    • CC1101 1.3 *6 • atmega3280p 0.75 *2
    • EM4095 0.6 • 2.5db Ant 0.41 *6
    • PCBbord 0.7 *2
    • as3933 0.95
    • ~ 20 EUR
    • 125Khz Ant 0.95
    RANGE1

    ANT 2.5 DBi


    ~320 M
    RANGE2
    Real world Attack scenarios
    Once the car is started ,if the car is
    being driven out of the relay range,
    Car is the car will only warning you that the
    parked in keyfob can not be detected,but it
    Parking lot/ won’t stop the engine ,so the thief
    Roadside/ (ie .us ;))can drive utill out of gas.
    etc

    Ownner is in
    Home/
    Shopping mall/
    Starbuck /
    etc
    Reference
    • http://ams.com/eng/Products/Wireless-Connectivity/Wireless-Sensor-Connectivity/AS3933
    • http://cache.nxp.com/documents/leaflet/75017275.pdf?fsrch=1&sr=1&pageNum=1
    • http://www.nxp.com/documents/leaflet/75017275.pdf
    • http://www.ti.com/lit/ds/swrs061i/swrs061i.pdf
    • https://eprint.iacr.org/2010/332.pdf
    Possible Countermeasures?
    Put the keyfob inside a faraday cage/bag
    Remove the battery
    Stricter timing constraints
    For manufactures :take relative position
    between the car and keyfob into consideration
    Q&A

    You might also like