X hits on this document

PDF document

Relay ttacks on Passive Keyless Entry and Start Systems in Modern Cars - page 4 / 15

65 views

0 shares

1 downloads

0 comments

4 / 15

(a)

PKES Key and its backup physical key.

(b) Car LF coverage.

Figure 2. Backup key and LF coverage regions.

Table 2. PKES

ccess Control Summary

Key position

uthorization

Medium used

Car Key

Key Car

Normal mode: when the internal battery is present

Remote Outside Inside

ctive open/close Passive open/close Passive start

None LF LF

UHF UHF UHF

Backup mode: when the internal battery is exhausted

Remote

Open/close

Outside

Open/close

Inside

Start

Impossible With physical key

LF

LF

usually embed a backup physical key within the key fob to open the car doors. These are shown in Figure 2(a). In or- der to start the engine the system uses the passive LF RFID capabilities of the key. Given the very short communication range as discussed before, the user is required to place the key in the close proximity of some predefined location in the car (e.g., the car Start button). We discuss the security implications of that mode of operation in Section 6.

relayed from entity appear

one location to another in order to make one closer to the other. Examples of relay attacks

have

been

shown

on

credit

card

transactions

[17]

and

be-

tween nodes in wireless sensor networks, known as a worm- hole attack [24]. n example of relay attack on RFID 2 has been shown in [21]. The attack consists of first demodu- lating the signal, transmitting it as digital information using RF and then modulating it near the victim tag. In this ex- perimental setup, the relay adds 15 to 20 µseconds of delay.

3

Relay ttack on Smart Key Systems

This

delay

would

be

detected

by

the delay of signal propagation onds for a short distance.

is

a

suitable

key/car

pair

as

in

the

order

of

nanosec-

In this section we first describe generic relay attacks, and then we present the attacks that we implemented and tested on PKES systems of several cars from different manufactur- ers. In our experiments, we relayed the LF communication between the car and the key; the relay of the UHF commu- nication (from the key to the car) was not needed since this communication is ’long’ range (approx. 100 m) and is not used in PKES systems for proximity detection. However, similar relay attacks could also be mounted on UHF com- munication if a longer relay than 100 m would be required.

3.1 Relay ttacks

In this work, we design and implement a relay attack in

the analog domain at the physical layer.

Our attack does

not need to interpret, nor to modify the signal, i.e., our at- tack only introduces the delays typical for analog RF com- ponents. It is completely transparent to most security pro- tocols designed to provide authentication or secrecy of the messages. lthough some attacks have been reported on key entry systems [25, 33, 13, 8], our attack is independent of those. Even if a passive keyless entry system uses strong

cryptography (e.g., ES, RS to our proposed relay attack.

), it would still be vulnerable

It should be noted that many relay attacks previously

The relay attack is a well known attack against commu- nication systems [23]. In a basic relay attack, messages are

2

MHz.

lthough for a different RFID technology namely ISO 14443 at 13.56

Document info
Document views65
Page views68
Page last viewedThu Dec 08 18:50:06 UTC 2016
Pages15
Paragraphs699
Words11298

Comments