Lock It and Still Lose It—On the (In)Security of Automotive Remote Keyless Entry Systems Flavio D. Garcia and David Oswald, University of Birmingham; Timo Kasper, Kasper & Oswald GmbH; Pierre Pavlidès, University of Birmingham https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/garcia This paper is included in the Proceedings of the 25th USENIX Security Symposium August 10–12, 2016 • Austin, TX ISBN 978-1-931971-32-4 Open access to the Proceedings of the 25th USENIX Security Symposium is sponsored by USENIX Lock It and Still Lose It – On the (In)Security of Automotive Remote Keyless Entry Systems Flavio D. Garcia1 David Oswald2 School of Computer Science, School of Computer Science, University of Birmingham, UK. University of Birmingham, UK. [email protected] [email protected] Timo Kasper2 Pierre Pavlidès1 Kasper & Oswald GmbH, Germany. School of Computer Science, [email protected] University of Birmingham, UK. [email protected] Abstract to create a duplicate. In addition, mechanical tum- bler locks and disc locks are known to be vulner- While most automotive immobilizer systems have abletotechniquessuchaslock-pickingandbumping been shown to be insecure in the last few years, the that allow to operate a lock without the respective securityofremotekeylessentrysystems(tolockand key. Finally, for most types of car locks, locksmith unlock a car) based on rolling codes has received tools exist that allow to decode the lock and create less attention. In this paper, we close this gap and a matching key. presentvulnerabilitiesinkeylessentryschemesused by major manufacturers. In our first case study, we show that the security of the keyless entry systems 1.1 Electronics in a Car Key of most VW Group vehicles manufactured between With electronic accessories becoming available, ad- 1995 and today relies on a few, global master keys. ditionalfeatureswereintegratedintothelockingand We show that by recovering the cryptographic al- starting systems of cars: some of them to improve gorithms and keys from electronic control units, an the comfort, others toincrease security. Onthe side adversary is able to clone a VW Group remote con- of the car key, this implies some electronic circuitry trol and gain unauthorized access to a vehicle by integrated in its plastic shell, as illustrated in Fig- eavesdroppingasinglesignalsentbytheoriginalre- ure 1. Note that the link between Remote Keyless mote. Secondly, we describe the Hitag2 rolling code Entry (RKE) and immobilizer is optional. In the scheme(usedinvehiclesmadebyAlfaRomeo,Chev- Hitag2system(Section4),theimmobilizerinterface rolet, Peugeot, Lancia, Opel, Renault, and Ford can be used to re-synchronize the counter used for among others) in full detail. We present a novel RKE, while VW Group vehicles (Section 3) com- correlation-basedattack onHitag2, whichallows re- pletely separate RKE and immobilizer. In vehicles covery of the cryptographic key and thus cloning of with Passive Keyless Entry and Start (PKES) (Sec- the remote control with four to eight rolling codes tion 1.1.2), the low-frequency immobilizer link is and a few minutes of computation on a laptop. Our used to trigger the transmission of a door opening findings affect millions of vehicles worldwide and signal over the high-frequency RKE interface. could explain unsolved insurance cases oftheft from allegedly locked vehicles. 1.1.1 Immobilizer Transponders 1 Car Keys One of the most notable events in the history of carsecuritywastheintroductionoftheimmobilizer, Forseveraldecades,carkeyshavebeenusedtophys- which significantly reduced the number of stolen ically secure vehicles. Initially, simple mechanical cars and so-called joyrides conducted by teenagers. keys were introduced to open the doors, unlock the An electronic immobilizer improves the security of steering, and operate the ignition lock to start the the car key with respect to starting the engine. engine. Given physical access to a mechanical key, Technically, most immobilizers rely on Radio Fre- or at hand of a detailed photograph, it is possible quencyIDentification(RFID)technology: AnRFID 1TheseauthorscontributedtheresearchonHitag2. transponder is embedded in the plastic shell of the 2TheseauthorscontributedtheresearchonVWGroup. car key and contains a secret that is required to 1 USENIX Association 25th USENIX Security Symposium 929 Remote keyless entry using a Time-Memory Tradeoff (TMTO). (433/315/868 MHz) As a result, the majority of RFID immobilizers used in today’s vehicles can be cloned: the secret of the transponder can be obtained by an adversary to mechanical part circumvent the added security provided by the im- RKE antenna (key blade) RF mobilizer. The cryptography of these immobilizers Button(s) has to be considered broken as their added protec- RKE (cid:1)C optional Immo. tiontopreventcriminalsfromstartingtheengineof RFID a car is very weak. Immobilizer (125 kHz) 1.1.2 Passive Keyless Entry and Start Figure 1: Main components of a car key: RKE and Today,certainmoderncars(especiallymadebylux- immobilizer systems are separate and use different ury brands) are equipped with PKES systems that RF frequencies. rely on a bidirectional challenge-response scheme, with a small operating range of about one meter: switch on the ignition and start the engine. An Wheninproximityofthevehicle, thecarkeygener- antenna coil around the ignition lock establishes a ates a cryptographic response to a challenge trans- bidirectional communication link and provides the mitted by the car. A valid response unlocks the energy for the transponder in order to verify its au- doors,deactivatesthealarmsystem,andenablesthe thenticity with a range of a few centimeters. All engine to start. As a consequence, the only remain- modern immobilizers use cryptography for authen- ing mechanical part in some cars is a door lock for tication between transponder and vehicle, typically emergencies (usually found behind a plastic cover based on a challenge-response protocol. on the driver’s side), to be used when the battery is For many years, only weak, proprietary crypto- depleted. graphy was implemented in immobilizer transpon- Unfortunately, PKES does not require user inter- ders worldwide. This may have been caused by the action (such as a button press) on the side of the limited energy available on RFID-powered devices, car key to initiate the cryptographic computations technological limitations, and cost considerations. and signal transmission. The lack of user interac- The first type of immobilizer transponder to be tion makes PKES systems prone to relay attacks, in broken was the widespread DST40 cipher used in whichthechallengeandresponsesignalsarerelayed Texas Instrument’s Digital Signature Transponder viaaseparatewirelesschannel: Thecarkey(e.g.,in (DST), which was reverse-engineered and broken at the pocket of the victim) and vehicle (e.g., parked Usenix Security 2005 [8]: The 40-bit secret key of hundreds of meters away) will assume their mutual the cipher can be revealed in a short time by means proximity and successfully authenticate. Since the of exhaustive search. This paper was at the same initialpublicationoftheserelayattacksin2011[14], timeoneofthefirstpublishedattacksonacommer- tools that automatically perform relay attacks on cial device in the literature. A few years later, at PKESsystemsareavailableontheblackmarketand Usenix Security 2012, researchers published several arepotentiallyusedbycriminalstoopen, start, and cryptanalytic attacks on NXP’s Hitag2 transpon- steal vehicles. ders [30,32], the most widely used car immobilizer at that time. The authors showed that an attacker 1.1.3 Remote Keyless Entry Systems can obtain the 48-bit secret key required to bypass the electronic protection in less than 360 seconds. RKEsystemsrelyonaunidirectionaldatatransmis- One year later, in a paper submitted to Usenix Se- sion from the remote control, which is embedded in curity 2013 (and finally published in 2015), the se- the car key, to the vehicle. Upon pressing a button, curitymechanismoftheMegamosCryptotranspon- an active Radio Frequency (RF) transmitter in the derwere foundtobe vulnerable tocryptanalyticat- remote control usually generates signals in a freely tacks [31,33]. The 96-bit secret key of the cipher usable frequency band. These include the 315MHz is mapped into a 57-bit state of a stream cipher bandinNorthAmericaandthe433MHzor868MHz that can be rolled back. A flawed key generation band in Europe, with a typical range of several tens (multiplebitsofthesecretkeyaresettozero)addi- tohundredsofmeters. Notethatafewoldcarshave tionally found in various transponders decreases the been using infrared technology instead of RF. RKE attack time from the order of days to a few seconds systemsenabletheusertocomfortablylockandun- 2 930 25th USENIX Security Symposium USENIX Association lock the vehicle from a distance, and can be used to trol to lock the car. The victim may not notice the switchonandofftheanti-theftalarm,whenpresent. attack and thus leave the car open. A variant of The first remote controls for cars used no crypto- the attack is “selective jamming”, i.e., a combined graphy at all: The car was unlocked after the suc- eavesdropping-and-jamming approach: The trans- cessfulreceptionofaconstant“fixcode”signal. Re- mitted rolling code signal is monitored and at the play attacks on these systems are straightforward. same time jammed, with the effect that the car is We encountered a Mercedes Benz vehicle manufac- not locked and the attacker possesses a temporarily tured around 2000 that still relies on such fix code valid (one-time) rolling code. Consequently, a car RKE systems. could be found appropriately locked after a burg- ThenextgenerationofRKEsystemsareso-called lary. This approach was first mentioned in [17] and rolling code systems, which employ cryptography laterpracticallydemonstratedby[16,27]. Notethat andacountervaluethatisincreasedoneachbutton one successful transmission of a new rolling code press. The counter value (and other inputs) form from the original remote to the car usually inval- the plaintext for generating a new, encrypted (or idatesallpreviouslyeavesdroppedrollingcodes,i.e., otherwise authenticated) rolling code signal. After the time window for the attack is relatively small. decryption/verificationonthesideofthevehicle,the Furthermore, it is usually not possible to change counter value is checked by comparing it to the last the signal contents, for example, convert a “lock” stored counter value that was recognized as valid: command into an “unlock”. This limitation is often An increased counter value is considered new and overlooked (e.g. in [16,27]) and severely limits the thus accepted. A rolling code with an old counter practical threat posed by this type of attack. value is rejected. This mechanism constitutes an effective protection against replay attacks, since a 1.2 Contribution and Outline rolling code is invalidated once it has been received by the vehicle. The cryptographic mechanisms be- In this paper, we study several extremely wide- hind rolling code systems are further described in spread RKE systems and reveal severe vulnerabil- Section 2. ities, affecting millions of vehicles worldwide. Our In principle, such unidirectional rolling code research was in part motivated by reports of unex- schemes can provide a suitable security level for ac- plainedburglariesoflockedvehicles(forexample[1, cess control. However, as researchers have shown in 2]), as well as scientific curiosity regarding the se- thecaseof Keeloqin2008,thesecurityguarantees curity of our own, personal vehicles. are invalidated if they rely on flawed cryptographic The remainder of this paper is structured as fol- schemes: Keeloq was broken both by cryptana- lows: In Section 2, we briefly summarize the results lysis [7,15] and, in a more realistic setting, by side- ofourpreliminaryanalysisofdifferentRKEsystems channel attacks on the key derivation scheme ex- solelybyanalyzingthetransmittedRFsignals. The ecuted by the receiver unit [12,17]. Although it is main contributions presented subsequently are: frequently mentioned that Keeloq is widely used for for vehicle RKE systems, our research indicates 1. In Section 3, we analyze the RKE schemes that this system is prevalently employed for garage employed in most VW Group group vehicles door openers. between 1995 and today. By reverse- Anotherattack,targetinganoutdatedautomotive engineeringthefirmwareoftherespectiveElec- RKEschemeofanunspecifiedvehicle(builtbetween tronic Control Units (ECUs), we discovered 2000 and 2005), was demonstrated by Cesare in that VW Group RKE systems rely on crypto- 2014 [9]: An adversary has to eavesdrop three sub- graphic schemes with a single, worldwide mas- sequent rolling codes. Then, using phase-space ana- ter key, which allows an adversary to gain un- lysis, the next rolling code can be predicted with a authorized access to an affected vehicle after high probability. However, apart from this attack eavesdropping a single rolling code. the cryptographic security of automotive RKE sys- tems has not been investigated to our knowledge. 2. In Section 4, we study an RKE scheme based In particular, a large-scale survey and security ana- on the Hitag2 cipher, as used by many differ- lysis of very wide-spread rolling code systems has ent manufacturers. We have reverse-engineered not been carried out. the protocol in a black-box fashion and present A different, simple but effective method used by a novel, fast correlation attack on Hitag2 ap- criminals to break into cars is to jam the RF com- plicable in an RKE context. By eavesdropping municationwhenthevictimpressestheremotecon- four to eight rolling codes, an adversary can re- 3 USENIX Association 25th USENIX Security Symposium 931 coverthecryptographickeywithinminutesand Start Preamble Payload Checksum afterwards clone the original remote control. pattern Figure3: Generalpacketstructureofarollingcode. 2 Preliminary Analysis of RKE Sys- Gray background indicates that the part is either tems encrypted or authenticated. Toaddresstheresearchquestionofthispaper: “how Identifier (UID) of the remote control, the rolling secure are modern automotive RKE systems?”, we counter value, and the pressed button (i.e., “un- captured RF signals from the remote controls of a lock”, “lock”, “open trunk”, in the US also “panic” varietyofvehicles,includingourowncars(VWPas- or“alarm”). Obviously,thedatasentbytheremote sat3B,ŠkodaFabia,AlfaRomeoGiulietta). Today, controlhastobecryptographicallyauthenticatedin the required hardware for receiving (and sending) someway. Thereappeartobetwomajorroutesthat RKE signals is widely available. For our analyses, were taken by designers of RKE systems: we used various devices, including Software-Defined Radios (SDRs) (HackRF, USRP, rtl-sdr DVB-T Implicit authentication: The complete payload USB sticks) and inexpensive RF modules. Figure 2 (or part of it) is symmetrically encrypted. The re- showsoursimplesetupwhichcosts $40,isbattery- ceiver then decrypts the packet, and checks if the ≈ powered, can eavesdrop and record rolling codes, content is valid, i.e., if the UID is known to the emulate a key, and perform reactive jamming. vehicleandthecounterisinitsvaliditywindow. Ex- amples for this approach can be found in Section 3. Explicit authentication: Some form of Message Authentication Code (MAC) is computed over the data payload and then appended to the packet. An example of this approach is the Hitag2 scheme de- scribed in Section 4. As a next step, we tried to determine the utilized encryption algorithms. However, a search for pub- licly available documentation or data sheets yielded little results. For example, the systems employed in VW Group vehicles (VW, Seat, Škoda, and Audi) appeartobeacompleteblackboxwithoutanypub- Figure 2: Arduino-based RF transceiver liclydocumentedsecurityanalysis. SinceVWGroup vehicles are extremely wide-spread, we selected this Studying the raw received signals and guessing manufacturer as the target of our first case study the respective modulation and encoding schemes (Section 3). Our second case study focuses on the turned out to be straightforward: The majority of Hitag2 scheme, for which abridged (one-page) data the studied RKE systems uses simple Amplitude- sheets can be found on the Internet [26]. We found Shift Keying (ASK) as modulation scheme, while Hitag2-based remote controls in vehicles made by a a smaller percentage employs Frequency Shift Key- varietyofmanufacturers,hence,weoptedtorecover ing(FSK). Fortheencodingoftheactualdatabits, the exact functionality and further analyze the se- the most prevalent methods are Manchester encod- curity of this RKE scheme (Section 4). ingandpulse-widthencoding. Theutilizedbitrates range from less than 1kBit/s (for older remotes) to 20kBit/s (for newer remotes). 3 Case Study 1: The VW System A typical rolling code packet consists of a pre- amble (i.e., a regular sequence of 0 and 1), a fixed With over 23% market share in Europe (Septem- startpattern(asequenceofoneorafewfixedbytes), ber 2015) and 11.1% worldwide (August 2014), the the actual, cryptographic data payload, and a final VW Group is amongst the leading global automot- checksum, cf. Figure 3. Note that many schemes ive manufacturers [13]. We had access to a wide slightly deviate from this general structure. Also, variety of VW Group vehicles for our security ana- in virtually all cases, the same packet is sent mul- lysis, from vehicles manufactured in the early 2000s tiple times, presumably to increase the reliability in to ones for the model year 2016. In total, the VW presence of environmental disturbances. Group has sold almost 100 million cars from 2002 The data payload normally contains the Unique until 2015. While not all of these vehicles use the 4 932 25th USENIX Security Symposium USENIX Association RKEschemescoveredinthissection,wehavestrong published in 2015 [6] after we had carried our pre- indications that the vast majority is vulnerable to liminaryanalysis. Notethatthisdoesnotcoverany the attacks presented in the following. Note that of the cryptographic algorithms presented here. the VW Group also includes certain luxury brands (e.g., Porsche, Bentley, Lamborghini, Bugatti) that 3.1 Analysis of Remote Control and we did not analyze in detail. Instead, we focused ECU onmorewide-spreadvehiclesmanufacturedbyVW, Seat, Škoda, and Audi. For a list of cars that we WeobtainedvariousVWGroupremotecontrolsand validated our findings with, refer to Section 3.5.1. extracted the Printed Circuit Boards (PCBs) for Eavesdropping and analyzing the signals transmit- further analysis of the hardware. A typical PCB ted by numerous remote controls, we identified at for a VW Group RKE remote includes a Microcon- least 7 different RKE schemes, referred to as VW-x troller (µC), an RF transmitter, an antenna (integ- (x = 1...7) in the following. Out of these systems, rated on the PCB) and a coin cell battery as the we selected the four schemes covering the largest main components. On many remote control PCBs amount of vehicles: (e.g., implementing VW-2), we found a µC marked VW-1: The oldest system, used in model years un- with Temic/Atmel M44C890E, cf. Figure 4. Ac- til approximately 2005. The remote control trans- cording to the datasheet available online [3], this mits On-Off-Keying (OOK) modulated signals at µC is a 4-bit processor, the so-called MARC4. The 433.92MHz, using pulse-width coding at a bitrate µC is mask-programmed, i.e., the program code is of 0.667kBit/s. placed in Read Only Memory (ROM) and hence fixed at manufacturing. According to Laurie [21], VW-2: Used from approximately 2004 onwards. it is possible to re-construct the program code of The operating frequency is 434.4MHz using OOK MARC4 processors by taking microscopic photo- (same as for VW-3 and VW-4), transmitting graphs of the ROM memory and applying further Manchester-encoded data at a bitrate of 1kBit/s. image processing to extract the value of each indi- VW-3: Employed for models from approxim- vidualbit. However,wedidnotfollowthisapproach ately 2006 onwards, using a frequency of 434.4MHz because we did not have access to suitable micro- andManchesterencodingatabitrateof1.667kBit/s. scopic equipment. The packet format differs considerably from VW-2. VW-4: Themostrecentschemeweanalyzed,found in vehicles between approximately 2009 and 2016. The system shares frequency, encoding, and packet format with VW-3, but uses a different encryption algorithm (see below). The remaining three schemes are used in Audi vehicles from approximately 2005 until 2011 (VW-5), the VW Passat since 2005 (model B6/type 3Candnewer,VW-6)andnewVWvehicleslikethe Golf 7 (VW-7). We have not further investigated Figure4: PCBofanolderVWGroupremotecontrol the security of these systems, but at least for older using a MARC4 µC vehicles, it seems likely that similar design choices as for VW-1–VW-4 were made. When studying remote controls of newer vehicles, Forourinitialanalyses,weimplementedthemost wefounddifferent,noteasilyidentifiableµCsonthe likely demodulation and decoding procedure for all PCB. An example of this is shown in Figure 5: We oftheabovesystems. Wethencollectedrollingcodes could not identify the type of µC from the mark- ofmultipleremotecontrolsforeachschemeandcom- ings on the main IC (top, towards the right), which pared the resulting data. For all schemes VW-1– complicates the reverse engineering. VW-4, we found that most of the packet content It seemed conceivable that some form of key de- appeared to be encrypted, except for a fixed start rivation could be present, which would have to be pattern and the value of the pressed button sent implemented on the receiving ECU’s side. Thus, in plain. We hence assumed that all systems use we opted to analyze the RKE ECUs in the vehicle implicit authentication, i.e., check the correctness that receive and process the remote control signals. of a rolling code after decryption. Demodulation We therefore bought a number of ECUs implement- routines for VW-3 and VW-4 were independently ing the respective RKE functionality, and attemp- 5 USENIX Association 25th USENIX Security Symposium 933 (byte-permuted)stateofaLinearFeedbackShiftRe- gister(LFSR)thatisclockedafixednumberofticks for each new rolling code (i.e., the LFSR state has the role of a counter). For reasons of responsible disclosure, we do not provide the full details of the obfuscation function and the LFSR feedback in this paper. One bit of the final nibble btn indicates the pressed button. The overall structure of a VW-1 rolling code packet is shown in Figure 6: Figure5: PCBofanewerVWGroupremotecontrol using an unidentified µC UID lfsr btn 0 32 56 59 ted to extract the firmware of the µCs present on the PCB of the ECU. Note that in contrast to the Figure 6: Packet structure of a rolling code for low-power4-bitor8-bitprocessorsusuallyemployed VW-1. Gray background indicates that the part is in the remote control, the RKE ECUs often handles obfuscatedorholdstheLFSRstate. Thestartpulse numerousadditionalfeaturesofthevehicleandthus is not shown. utilizesamorepowerful,Flash-programmable16-bit or32-bitµC(withdocumenteddebugandprogram- In conclusion, the security of the VW-1 is solely ming interfaces). based on obscurity. Neither is there a cryptographic Using widely available, standard programming key involved in the computation of the rolling code, tools for automotive processors, we were able to ob- nor are there any vehicle or remote control specific tain firmware dumps for all studied ECUs. We then elements for some form of key diversification. With located and recovered the cryptographic algorithms theknowledgeofthedetailsoftheobfuscationfunc- by performing static analysis of the firmware im- tion and the LFSR, an adversary can generate valid age, searching amongst others for constants used in rollingcodestoopenandcloseaVW-1vehiclebased common symmetric ciphers and common patterns on a single eavesdropped signal (to obtain the UID ofsuchciphers(e.g.,tablelookups,sequencesofbit- and the current state of the LFSR). Note that we wise operations). The results of this process are de- observed similarly insecure LFSR-based schemes in scribed in more detail for each scheme VW-1–VW-4 older Audi vehicles built before 2004. in the following. Note that as part of our negoti- ations with VW Group, and to protect VW Group 3.3 The VW-2 and VW-3 Schemes customers, we agreed to not fully disclose the part numbers of the analyzed ECUs and the employed Starting with VW-2, a rolling code packet has the µCs at this point. We furthermore agreed to omit following structure: A preamble (regular 0-1 pat- certain details of the reverse-engineering process, as tern) is followed by a fixed start sequence start (in- well as the values of cryptographic keys. dividual per scheme), an encrypted 8-byte payload, andfinallyabytebtnindicatingthebuttonthatwas 3.2 The VW-1 Scheme pressed. Thepacketstructure(notshowingthepre- amble) is depicted in Figure 7. The VW-1 system is the only VW Group scheme discussed in this paper that operates at 433.92MHz start UID ctr btn’ btn (all newer systems use a frequency of 434.4MHz). 0 24 56 80 88 95 In contrast to newer RKE schemes, the start of a packet is not indicated by a long preamble, but by Figure 7: Packet structure of a rolling code for a single 1-0 pattern (500µs high level, 500µs low VW-2–4. Gray background indicates that the part level). Afterthis,thedatabitsaretransmittedLSB- is encrypted. Note that the fixed start pattern is first in pulse-width encoded form: A zero is indic- shorter for VW-2. ated by a short high level followed by a longer low level, while a one is represented with the opposi- The 8-byte payload is generated from the follow- te pattern (long high, short low). We discovered ing plaintext: a 4-byte UID, a 3-byte counter ctr, that the first four bytes hold the UID of the remote and one byte btn again indicating the pressed but- (cid:31) in an obfuscated form (several bytes of the packet ton. This payload is then encrypted using a propri- are XORed). The following three bytes lfsr hold the etary block cipher that we recovered from the ECU 6 934 25th USENIX Security Symposium USENIX Association firmwareasdescribedinSection3.1. Welaterfound a a a a a a a a 0 1 2 3 4 5 6 7 that this cipher appears to be the so-called AUT64 cipheremployedincertainimmobilizertransponders Combiningfunctionf key i as well [4]. Hence, we will use the name AUT64 in 32 8 the following and follow the notation given in the S-Boxτ public datasheet. AUT64 is an iterated cipher, operating on 8-byte Bitperm.σ blocks. It uses a round structure as depicted in Fig- ure 8: In each round i the state (represented as bytes a ... a ) is first byte-permuted, using a key- S-Boxτ 0 7 dependent permutation σ. This permutation is fully 8 described by a 3 23 =24 bit string. Then, bytes · a ... a are left unchanged, while byte a is up- Figure 9: One round functiong of the AUT64 block 0 6 7 dated using the round function g(a ,...,a ,key ), cipher as used in VW-2 and VW-3. a ,...,a is the 0 7 i 0 7 where keyi is a 32-bit round key. In the case of 8-byte state of the cipher, keyi the round key. AUT64 in the VW Group system, the cipher has 12 rounds, while the datasheet [4] only specifies a 4-to-4 S-Boxes and 8! permutations. This results in possible number of rounds between 8 and 24. The an effective key size of 32+log (8!)+log (16!)= 2 2 91.55 bit. Finding an AUT64 key by exhaustive a a a a a a a a 0 1 2 3 4 5 6 7 search is therefore beyond current computational capabilities,whereasecuritylevelof80bitisusually Byte permutation σ deemed acceptable for lightweight ciphers. We have not further analyzed the mathematical a a a a a a a a security of the cipher, but believe this to be an in- 0 1 2 3 4 5 6 7 terestingresearchproblem,especiallyduetotheun- conventional design with several key-dependent op- g erations. For the analysis of the VW-2 and VW-3 RKEsystems,however,itturnedoutthatnofurther a a a a a a a a cryptanalysisisnecessary: Bothschemesuseafixed, 0 1 2 3 4 5 6 7 global master key independent of vehicle or remote control. In other words, this means that the same Figure 8: One round i of the AUT64 block cipher AUT64 key is stored in millions of ECUs and RKE as used in VW-2 and VW-3. a ,...,a is the 8- 0 7 remotes, without any key diversification being em- bytestateofthecipher,g(a ,...,a ,key )theround 0 7 i ployed at all. The sole means by which the vehicle function. determinesifarollingcodeisvalidishencebywhite- listing certain UIDs and checking if the counter is internal structure of g is shown in Figure 9: The within the validity window. Incidentally, this also input bytes a ,...,a are first combined with the 0 7 implies that a VW Group vehicle using a particu- 32-bit round key key using a sequence of concaten- i larschemereceivesanddecryptsallrollingcodesfor ations,tablelook-ups,andXORoperationsdenoted that scheme transmitted in the vicinity. as f. Note that the round key is derived from a NotethattheglobalAUT64masterkeysforVW-2 part (denoted as k in the following) of the main f and VW-3 are different, but both can be extracted keykbyafixed,nibble-wisepermutationperround. fromtheECUfirmwareandpossiblyfromtheµCin Each nibble of the 8-bit output of f is then passed theremotecontrolaswell(e.g. withinvasiveattacks through the same 4-to-4 S-Box τ, bit-permuted us- like micro-probing or side-channel analysis). ing the same permutation σ used for the state (but applied on a bit-level), and again passed through a second instance of τ. Note that both σ and τ are 3.4 The VW-4 Scheme key-dependent in addition to key . Hence, the full i key of the AUT64 cipher is the tuple k= kf,σ,τ In newer VW Group vehicles from approximate- withanoverallkeysizeof32+3 23+4 24=120bit. ly 2009 onwards, we found an RKE system that has · · (cid:31) (cid:30) However, not all choices for τ and σ are per- thesameencodingandpacketstructureasVW-3(al- missible in order to have a bijective S-Box and a though with a different start pattern), but does not valid permutation—in total, there are 16! bijective employ the AUT64 cipher. For this system VW-4, 7 USENIX Association 25th USENIX Security Symposium 935 theanalysisoftherespectiveECUfirmwarerevealed cause the counter in vehicle and remote are in sync that the XTEA cipher [24] is used to encrypt a afterwards. Note that the blocking behaviour could rollingcodepacketwithaformatotherwiseidentical be used for an automatized Denial-of-Service (DoS) to VW-3 (cf. Figure 7). attack(aimingtolockoutthe legitimatecarowners XTEA is a block cipher based on a 64-round of affected vehicles) by intentionally sending an old Feistel structure with 64-bit block size and 128-bit signal (with a counter value of ctr 2 or less). − key. Due to the structure of the round function In conclusion, while the cryptographic algorithms basedonAddition,Rotate,XOR(ARX)operations, have improved over the years (from LFSR over itiswellsuitedforlightweightsoftwareimplementa- AUT64 to XTEA), the crucial problem of key dis- tionsrequiredforlow-endandlow-powerdeviceslike tribution has not been properly solved in the stud- RKE remotes. The best known cryptanalytical at- ied schemes VW-1–4. However, according to VW tack on XTEA [22] is of theoretical nature (related- Group, this problem has been addressed in the key rectangle attack on 36 rounds with 263.83 byte latest generation of vehicles, where individual cryp- of data and 2104.33 steps) and hence not relevant in tographic keys are used. We discuss the con- the context of RKE systems. sequences and general implications of a successful However, again we found that a single, worldwide attackonaRKEsysteminmoredetailinSection5. key is used for all vehicles employing the VW-4 sys- tem. Thesamesinglepointoffailureoftheoldersys- 3.5.1 Vulnerable Vehicles tems VW-1–VW-3 is hence also present in recently manufactured vehicles. For example, we found this Our findings affect amongst others the follow- scheme implemented in an Audi Q3, model year ing VW Group vehicles manufactured between 2016, and could decrypt and generate new valid 1995and2016. Cars thatwe have practicallytested rolling codes to open and close this vehicle (and nu- arehighlightedinbold. Notethatthislistisnotex- merousotherVWGroupvehicles, cf.Section3.5.1). haustive, as we did not have access to all types and model years of cars, and that it is unfortunately not clear if and when a car model has been upgraded to 3.5 Implications and Observations a newer scheme. As the main result of this section, we discovered Audi: A1, Q3, R8, S3, TT, various other types of thattheRKEsystemsofthemajorityofVWGroup Audi cars (e.g.remote controlpart number4D0 837 vehicles have been secured with only a few crypto- 231) graphic keys that have been used worldwide over a VW: Amarok, (New) Beetle, Bora, Caddy, period of almost 20 years. With the knowledge of Crafter, e-Up, Eos, Fox, Golf 4, Golf 5, Golf these keys, an adversary only has to eavesdrop a 6, Golf Plus, Jetta, Lupo, Passat, Polo, T4, T5, single signal from a target remote control. After- Scirocco, Sharan, Tiguan, Touran, Up wards,hecandecryptthissignal,obtainthecurrent UID and counter value, and create a clone of the Seat: Alhambra, Altea, Arosa, Cordoba, Ibiza, originalremotecontroltolockorunlockanydoorof Leon, MII, Toledo the target vehicle an arbitrary number of times. Škoda: City Go, Roomster, Fabia 1, Fabia 2, Weobservedthat(mostly)VW-4vehiclesblocked Octavia, SuperB, Yeti theoriginalremotecontrolifavalidrollingcodewith a counter more than 2 behind is received. In other It is conceivable that all VW Group (except for words,ifctristhevalueexpectedbythevehicle,any some Audi) cars manufactured in the past and par- rollingcodewithctr 2orlessleadstotheblocking. tiallytodayrelyona“constant-key”schemeandare − If an adversary sends at least two valid signals with thus vulnerable to the attacks described in this pa- increasedcountervalues(e.g.,“unlock”and“lock”), per,exceptforthosecarsthatrelyonthelatestplat- the original remote control of the owner will stop form, e.g., the Golf 7 for VW. working in the moment when the car receives an NotethatidenticalVWGroupcarsaresoldunder outdated signal. In this case, usually automatic re- different names in other countries, e.g., some Golf synchronizationproceduresdescribedintherespect- versions were sold as “Rabbit” in North America. ivevehicle’smanualhelptechnicallyexperiencedcar We have tested some remote controls operating at owners to re-synchronize the remote control to the 315MHz,e.g.,fortheUSmarket,andfoundthemto car. In contrast, if the adversary only sends a single bevulnerabletoourattacksaswell,i.e.,theonlydif- valid signal, the original remote will not be blocked, ferencetotheirEuropeancounterpartsistheoperat- but only operate on the second button press, be- ing frequency. Furthermore, cars of different brands 8 936 25th USENIX Security Symposium USENIX Association may share the same basic technology, e.g., we found 4 Case Study 2: The Hitag2 System somemodelyearsofFordGalaxythathavethesame flawed RKE system as their VW Group derivatives The Hitag2 rolling code system is an example of a VW Sharan and Seat Alhambra. RKE scheme that is not specific to a single vehicle brand. Instead, it is implemented on the PCF7946 and PCF7947 ICs manufactured by NXP. While these ICs contain an 8-bit general-purpose µC that 3.5.2 Temporary Countermeasures (in theory) allows to realize a fully proprietary scheme[26],itappearsthatnumerousvehiclemanu- Completely solving the described security problems facturers have used a similar (though not identical) wouldrequireafirmwareupdateorexchangeofboth RKE system, potentially following NXP’s reference therespectiveECUand(worse)thevehiclekeycon- implementation. In contrast to the VW Group sys- taining the remote control. Due to the strict testing tem described in Section 3, it seems that manufac- and certification requirements in the automotive in- turers did not use a fixed, global cryptographic key. dustry and the high cost of replacing or upgrading Hence, to break this system, we developed a novel all affected car keys in the field, it is unlikely that attack to exploit the cryptographic weaknesses of VW Group can roll out such an update in the short Hitag2 in the RKE context. term. Hence, we give recommendations for users of We first describe the Hitag2 cipher, which was affected vehicles in the following. previously published in [35]. We have fully reverse- Thewell-knownadvice(seee.g.[25])toverifythat engineered the rolling code scheme used in the a vehicle was properly locked with the remote con- Hitag2remotecontrolICsPCF7946/7947asfurther trol (blinking direction lights, sound) is no longer described in Section 4.2. The analysis was done in sufficient. Anadversarymayhaveeavesdroppedthe a black-box fashion—we used a remote control for “lock” signal from a distance of up to 100m and which we were able to obtain the Hitag2 key (since generateanew,valid“unlock”rollingcodeanytime itwassharedwiththeimmobilizerinthisparticular later. Preventing or detecting the eavesdropping of case), guessed potential implementations (based on RFsignalsisimpractical. Hence,theonlyremaining the immobilizer protocol) for the rolling code sys- (yetimpractical)countermeasureistofullydeactiv- tem, and finally recovered the complete scheme. In ate or at least not use the RKE functionality and contrast to the analysis of the VW Group systems, resort to the mechanical lock of the vehicle. Note no firmware extraction and reverse-engineering of that in addition, for many cars, the alarm will trig- program code was necessary. ger after a while if the car doors or the trunk are To this date, the best known practical cryptana- mechanically opened, unless the immobilizer is dis- lysisofHitag2wasproposedin[32]inthecontextof armed with the original key. vehicle immobilizers. Their attack requires 136 au- With respect to forensics, there are several po- thentication attempts and 235 encryptions/lookups, tential indicators (due to the nature of rolling code which take 5 minutes on a laptop. In the context schemes) that the remote control may have been of RKE systems, gathering 136 rolling code traces cloned: If the vehicle does not unlock on the first is not practical in a realistic scenario, as it requires buttonpress,thiscouldimplythatanadversaryhas to wait for the victim to push a button on the re- sent valid rolling codes with counter values greater mote that many times. We therefore propose a new than the one stored in the original remote control. attack that requires eavesdropping less authentica- Note that no traces of the attack are left once the tion attempts (usually between 4 and 8) and one counter in the original remote control has caught minute computation on a laptop. In Section 4.4, we up with the increased value stored in the car. Fur- present our novel correlation attack on Hitag2 in a ther, a complete blocking of the remote control (see RKE scenario. above) may be an indicator (e.g., for insurance- We first need to introduce some notation. Let related court cases) that the RKE system was at- F2 = 0,1 the field of two elements (or the set { } tacked. It should however be taken into account of Booleans). The symbol denotes exclusive-or ⊕ that, according to our practical tests, the remote (XOR) and 0n denotes a bitstring of n zero-bits. control will also be blocked if the car receives a Given two bitstrings x and y, xy denotes their con- counterthatisincreasedbymorethan250compared catenation. x denotes the bitwise complement of tothelaststoredvalue—thiscouldforexamplehap- x. We write y to denote the i-th bit of y. For ex- i pen if the remote control buttons are pushed many ample,giventhebitstringy=0x03,y =y =0and 0 1 times while not in the range of the vehicle. y =y =1. We denote encryptions by . 6 7 {−} 9 USENIX Association 25th USENIX Security Symposium 937