X hits on this document

PDF document

Relay ttacks on Passive Keyless Entry and Start Systems in Modern Cars - page 9 / 15

63 views

0 shares

1 downloads

0 comments

9 / 15

open

go

open

go

open

go

open

go

open

go

Model 1

X

X

X

X

X

X

2

0.4

*

*

Model 3

X

X

X

X

X

X

-

-

-

-

Model 4

X

X

-

-

-

-

-

-

-

-

Model 5

X

X

X

X

X

X

2.5

1.5

6

5.5

Table 4. Experimental results distances summary. Legend: ’X’ relay works without amplification, ’ with amplification, ’-’ not tested, ’*’ value will be updated

-

-

0.1

0.1

6

6

-

-

1.5

0.2

4

3.5

X

X

2.4

2.4

8

8

-

-

-

-

-

-

Car model

0.1

0.1

2.4

2.4

0.6

0.2

3.5

3.5

7m

Model 6

X

X

Model 7

X

X

Model 8

X

Model 9

X

X

Model 10

X

X

Relay cable 30 m

Model 2

X

X

X

X

X

X

X

60 m

Key to antenna distance (m)

No

mplifier

With

mplifier

ulate the signals (e.g., LF and UHF) and transmit them e.g., over UDP. s explained above, the Software Defined Radio (SDR) we used in our experiments has significant delays, which would make such relays difficult. However, recently SDR was developed that have low delays [43]. This plat- form would allow to achieve relays with sub micro second delays.

4.3 Key Response Time and Spread

Other characteristics of the smart key that are relevant to the physical-layer relay performance are the key response time and spread. The key response time is the elapsed time between the moment when the challenge is sent by the car and the beginning of the response from the smart key. The key response time spread is the difference between the min- imum and maximum key response times that we have ob- served. The computation of these two measures allows us to estimate (i) how much delay could the physical-layer re- lay attack exploit without any practical detection being pos- sible (ii) what is the design decision behind the maximum acceptable delays allowed by the evaluated systems. We note that the numerical differences of these two measures between car models are due to the hardware used as well as the implementation of the secure protocols (e.g., message size, type of encryption).

In order to measure the key response time and spread, we recorded the protocol message exchanges between the car and key at radio frequency (RF) with an oscilloscope using high sampling rate (from 20 to 50 MS/s depending on the PKES system). This allowed us to have a precise estimation (within tens of nanoseconds) of the start and end of transmitted messages. Table 5 summarizes the average key response time with its standard deviation and the key

response time spread computed from 10 different message exchanges during car open.

The results show large differences between different car models. The key response standard deviations vary from 4 to 196 µs, and the maximum spread - from 11 to 436 µs. These values show that the current implementations exhibit large variance. That is, possible solutions that rely on mea- surements of the average key response time in order to de- tect the time delay introduced by our attack would be infea- sible; even the smallest key response time spread of 11 µs (Model 5) is already too large to be used for the detection of our attack. We recall that our 30 meter wireless physical- layer relay requires only approximately 120 ns in one di- rection (Table 3).

Moreover, we also observe that higher key response spread leads to higher acceptable delay. The manufacturers seem to fix the maximum acceptable delay at 20 to 50 times of the measured spread (except for Model 10). The reason is most likely to provide high reliability of the system as any smaller delays could occasionally make car owners being denied access to the car and/or authorization to drive.

5 Implications of the Relay Systems

ttack on PKES

In this section we describe different attack scenarios and discuss the implications of relay attacks on PKES systems.

Common Scenario: Parking Lot. In this scenario, the attackers can install their relay setup in an underground parking, placing one relay antenna close to the passage point (a corridor, a payment machine, an elevator). When the user parks and leaves his car, the Passive Keyless Entry System will lock the car. The user then exits the parking

Document info
Document views63
Page views66
Page last viewedThu Dec 08 15:25:25 UTC 2016
Pages15
Paragraphs699
Words11298

Comments