Professional Documents
Culture Documents
D2T2 - Yingtao Zeng, Qing Yang and Jun Li - Car Keyless Entry System Attacks
D2T2 - Yingtao Zeng, Qing Yang and Jun Li - Car Keyless Entry System Attacks
Image source:http://www.nxp.com/documents/leaflet/75017275.pdf
Normal Authentication Flow
Choose the Suitable Antenna
The 125Khz Carrier Signal
Decode The Data
The Relay Attack Scenario
The Relay Attack Scenario
315 315
Mhz CH2 CH1 Mhz CH2 125Khz CH1
DEMO
DEMO
DEMO
COST
• BQ24170 1.3 • 125Khz 3D Ant 2.2
• CC1101 1.3 *6 • atmega3280p 0.75 *2
• EM4095 0.6 • 2.5db Ant 0.41 *6
• PCBbord 0.7 *2
• as3933 0.95
• ~ 20 EUR
• 125Khz Ant 0.95
RANGE1
Ownner is in
Home/
Shopping mall/
Starbuck /
etc
Reference
• http://ams.com/eng/Products/Wireless-Connectivity/Wireless-Sensor-Connectivity/AS3933
• http://cache.nxp.com/documents/leaflet/75017275.pdf?fsrch=1&sr=1&pageNum=1
• http://www.nxp.com/documents/leaflet/75017275.pdf
• http://www.ti.com/lit/ds/swrs061i/swrs061i.pdf
• https://eprint.iacr.org/2010/332.pdf
Possible Countermeasures?
Put the keyfob inside a faraday cage/bag
Remove the battery
Stricter timing constraints
For manufactures :take relative position
between the car and keyfob into consideration
Q&A