Supplement To The Proceedings Of The 22nd USENIX Security .

provides and adversary with 15-bits of knownplaintext.user to send simple commands like read and write to thetransponder. In particular, this library can be used to setthe memory lock bit and a random PIN code as a mitigation for our second attack, as described in Section 8.We present two versions of this attack. First we introducea simple (but more computationally intensive) attack thatrecovers the secret key of the transponder with a computational complexity of 256 encryptions. Then we optimize this attack, reducing its computational complexityto 249 by using a time-memory trade-off. For this tradeoff, a 12 terabyte lookup table needs to be pre-computed.This optimized version of the attack takes advantage ofthe fact that some of the cipher components can be runquite autonomously.Our second attack exploits the following weaknesses.1.2 Related workIn the last decades, semiconductor companies introducedseveral proprietary algorithms specifically for immobilizer security. Their security often depends on the secrecy of the algorithm. When their inner-workings areuncovered, it is often only a matter of weeks before thefirst attack is published. There are several examples inthe literature that address the insecurity of proprietaryalgorithms. The most prominent ones are those breaking A5/1 [31], DECT [45, 47], GMR [18], WEP [24]and also many RFID systems like the MIFARE Classic [16, 26, 29, 46], CryptoRF [30] and iClass [27, 28].Besides Megamos Crypto, there are only three othermajor immobilizer products being used. The DSTtransponder which was reverse-engineered and attackedby Bono et.al. in [9]; KeeLoq was first attacked by Bogdanov in [6] and later this attack was improved in [12,36, 38]; Hitag2 was anonymously published in [60] andlater attacked in [8, 13, 35, 52, 53, 57, 58].With respect to vehicle security, Koscher et. al. attracted a lot of attention from the scientific communitywhen they demonstrated how to compromise the boardcomputer of a modern car [11, 40]. They were able toremotely exploit and control many car features such astracking the car via GPS and adjust the speeding of thecar. In 2011, Francillon et. al. [25] showed that withfairly standard equipment it is possible to mount a relayattack on all keyless-entry systems that are currently deployed in modern cars.The scientific community proposed several alternatives [43, 44, 59, 61, 62] to replace the weak proprietaryciphers and protocols. There are several commercial vehicle immobilizer transponders that makes use of standard cryptography, like AES [14]. Examples includethe Hitag Pro transponder from NXP Semiconductorsand ATA5795 transponder from Atmel. To the best ofour knowledge, only Atmel made an open protocol design [1] and published it for scientific scrutiny. The security of their design was analyzed by Tillich et. al. in [54]. Currently, the memory of many Megamos Cryptotransponders in the field is either unlocked or lockedwith a publicly known default PIN code [17]. Thismeans that anybody has write access to the memoryof the transponder. This also holds for the secretkey bits. The 96-bit secret key is written to the transponderin blocks of 16 bits instead of being an atomic operation.This attack recovers the 96-bit secret key of such atransponder within 30 minutes. This time is necessary toperform 3 216 authentication attempts to the transponder and then recover the key with negligible computational complexity. We have executed this attack in practice and recovered the secret key of several cars from various makes and models. Having recovered the key wewere able to emulate the transponder and start the vehicles.Our third attack is based on the following observation.Many of the keys that we recovered using the previousattack had very low entropy and exhibit a well definedpattern, i.e., the first 32 bits of the key are all zeros. Thisattack consists of a time-memory trade-off that exploitsthis weakness to recover the secret key, within a few minutes, from two authentication traces. This attack requiresstorage of a 1.5 terabyte rainbow table.We propose a simple but effective mitigating measureagainst our second attack. This only involves setting afew bits on the memory of the transponder and can bedone by anyone (even the car owners themselves) with acompatible RFID reader.Finally, we have developed an open source library forcustom and proprietary RFID communication schemesthat operate at an frequency of 125 kHz. We used thislibrary to provide eavesdropping, emulation and readersupport for Megamos Crypto transponders with the Proxmark III device3. The reader functionality allows the2 Technical backgroundThis section briefly describes what a vehicle immobilizeris and how it is used by the automotive industry. Then wedescribe the hardware setup we use for our experiments.Finally we introduce the notation used throughout the paper.2.1 ImmobilizerTo prevent a hijacker from hot-wiring a vehicle, car manufacturers incorporated an electronic car immobilizer as3 http://www.proxmark.org/3USENIX Association22nd USENIX Security Symposium 705

2.3 Notationan extra security mechanism. In some countries, havingsuch an immobilizer is enforced by law. For example, according to European Commission directive (95/56/EC)it is mandatory that all cars sold in the EU from 1995are fitted with an electronic immobilizer. Similar regulations apply to other countries like Australia, NewZealand (AS/NZS 4601:1999) and Canada (CAN/ULCS338-98). Although in the US it is not required by law,according to the independent organization Insurance Institute for Highway Safety (IIHS), 86 percent of all newpassenger cars sold in the US had an engine immobilizerinstalled [55].An electronic car immobilizer consists of three maincomponents: a small transponder chip which is embedded in (the plastic part of) the car key, see Figure 1(b);an antenna coil which is located in the dashboard of thevehicle, typically around the ignition barrel; and the immobilizer unit that prevents the vehicle from starting theengine when the transponder is absent.The immobilizer unit communicates through the antenna coil and enumerates all transponders that are inproximity of field. The transponder identifies itself andwaits for further instructions. The immobilizer challenges the transponder and authenticates itself first. Ona successful authentication of the immobilizer unit, thetransponder sends back its own cryptographic response.Only when this response is correct, the immobilizer unitenables the engine to start.The immobilizer unit is directly connected to the internal board computer of the car, also referred to as Electrical Control Unit (ECU). To prevent hot-wiring a car,the ECU blocks fuel-injection, disables spark-plugs anddeactivates the ignition circuit if the transponder fails toauthenticate.Throughout this paper we use the following mathematical notation. Let F2 {0, 1} be the set of Booleans.The symbol denotes exclusive-or (XOR), 0n denotesa bitstring of n zero-bits. ε denotes the empty bitstring.Given two bitstrings x and y, xy denotes their concatenation. Sometimes we write this concatenation explicitlywith x · y to improve readability. x denotes the bitwisecomplement of x. Given a bitstring x Fk2 , we write xi todenote the i-th bit of x. For example, given the bitstringx 0x03 00000011 F82 , x0 0 and x6 x7 1.3 Megamos CryptoThis section describes Megamos Crypto in detail. Wefirst describe the Megamos Crypto functionality, memory structure, and communication protocols, this comesfrom the product datasheet [21] and the applicationnote [23]. Then we briefly describe how we reverseengineered the cryptographic algorithms and protocolsused in Megamos Crypto. Finally, we describe these algorithms and protocols in detail.3.1 MemoryThere are two types of Megamos Crypto transponders,in automotive industry often referred to as Magic I(V4070) [20] and Magic II (EM4170) [21]. The EM4170transponder is the newer version and it has 16 memoryblocks of 16-bit words. The contents of these memory blocks are depicted in Figure 4. The older version(V4070) supports exactly the same read and write operations and cryptographic algorithms, but it only has 10memory blocks. The blocks 10 to 15, which store 64bits of additional user memory and a 32-bit PIN code aresimply not readable. The EM4170 transponder uses thesame communication and is therefore backwards compatible with the V4070 transponder. Note that in somecars the new revision is deployed as replacement for theV4070 without making use of, or even initializing theadditional user memory blocks and PIN code. The wholememory is divided in three sections with different accessrights, see Figure 4.The transponder identifier id is always read-only. Thewrite access over the other memory blocks is determinedby the value of the lock-bit l0 . Just as specified, the valueof lock-bit l1 does not have any influence the memoryaccess conditions. Similarly, a successful or failed authentication has no effect on the access conditions.2.2 Hardware setupWe used the Proxmark III to eavesdrop and communicate with the car and transponder. This is ageneric RFID protocol analysis tool [56] that supports raw data sampling at a frequency of 125 kHz.We implemented a customfirmware and FPGA designthat supports the modulationand encoding schemes ofMegamos Crypto transponders. The design samplesgeneric analog-digital converter (ADC) values andinterpret them in real-timeFigure 3: Proxmark 3in the micro-controller. Wehave implemented commands to eavesdrop, read and emulate a transponder.Our library is able to decode field and transpondermodulation simultaneously and is very precise in timing. When l0 0, all memory blocks (except id) of aMegamos Crypto transponder are still writable. Thekey k, PIN code pin are write-only and the usermemory um blocks (which includes the lock-bits l)are read-write. However, after a successful write inblock 1, the new value of l0 determines the accesscondition for future write operations.4706 22nd USENIX Security SymposiumUSENIX Association

When l0 1, all writing is disabled. However, itdoes not affect the read access conditions. Thismeans that the key k, PIN code pin can not be readout and the user memory um becomes read-only.Because the lock-bits l are stored in a user memoryblock they can always be read out.is a bitstring of 7 zero bits. The datasheet [21] refersto them as “divergency bits”. It seems that thesebit-periods are used to initialize the cipher. In Section 3.6 we show that the authentication protocol exactly skips 7 cipher steps before it starts generatingoutput. The third argument is a 28-bit authenticator from the car aC . If successful, the transponderresponds with its 20-bit authenticator aT .The EM4170 allows to set the lock-bit l0 back to zerousing a PIN code pin. A valid PIN code resets the accessconditions and enables again writing of k, pin, um andl. The PIN code has to be known or overwritten to thetransponder before it is locked, otherwise an exhaustivesearch of the PIN code is required.Block0123456789101112131415Contentuser memoryuser memory, lock bitsdevice identificationdevice identificationcrypto keycrypto keycrypto keycrypto keycrypto keycrypto keypin codepin codeuser memoryuser memoryuser memoryuser memoryDenoted byum0 . . . um15um16 . . . um29 l0 l1id0 . . . id15id16 . . . id31k0 . . . k15k16 . . . k31k32 . . . k47k48 . . . k63k64 . . . k79k80 . . . k95pin0 . . . pin15pin16 . . . pin31um30 . . . um45um46 . . . um61um62 . . . um77um78 . . . um93When the driver turns on the ignition, several backand-forward messages between the car and transponderare exchanged. It starts with the car reading out thetransponder memory blocks that contains the identity,user memory and lock-bits. Next, the car tries to authenticate using the shared secret key k. If the authenticationfails, the car retries around 20 times before it reports onthe dashboard that the immobilizer failed to authenticatethe transponder. Figure 5 shows an eavesdropped traceof a German car that initializes and authenticates a Megamos Crypto transponder.To the best of our knowledge, there is no publiclyavailable document that describes the structure of Megamos Crypto cipher. However, a simplified representation of the authentication protocol is presented in theEM4170 application note [23] as shown in Figure 6.It does not specify any details beyond the transmittedmessages and the checks which the car and transponder must perform. The car authenticates by sending anonce nC Random and the corresponding authenticator aC f (Rnd, K). When the car successfully authenticated itself, the Megamos Crypto transponder sends thetransponder authenticator aT g(Rnd, f , K) back to car.read-onlywrite-onlyread-writeFigure 4: Megamos Crypto transponder memory layout3.2 Functionality and communicationThe Megamos Crypto transponder supports four different operations:read, write, reset andauthenticate. read operations are performed by three different commands, each returns multiple blocks.The transponder returns the concatenation ofthese blocks in one bitstring. The three available bitstrings are id31 . . . id0 , l1 l0 um29 . . . um0 andum93 . . . um30 . write stores a 16-bit memory block in the memory of the transponder. The arguments for this command are the block number and the data. Afterreceiving the command, the transponder stores thedata in memory if the access conditions allow therequested write operation. reset takes the id and 32-bit PIN code as an argument. If the PIN code matches the value that isstored in pin, then the lock-bit l0 is reset, see Section 3.1 for more details about l0 . authenticate takes three arguments. The firstone is a 56-bit car nonce nC . The second argument Figure 6: Authentication procedure excerpt from [23]For communication the Megamos Crypto transponderuses a low frequency wave of 125 kHz and applies amplitude shift keying (ASK) modulation by putting a smallresistance on the electro magnetic field. It utilizes a cus5USENIX Association22nd USENIX Security Symposium 707

rTransponderMessage3A9 08 4D EC580 00 95 13FAA AA AA AA AA AA AA AA6 3F FE 1F B6 CC 51 3F 07 F3 55 F1 A60 9D 6DescriptionRead identifierIdentfier id31 . . . id0Read user memory and lock-bitsFirst user memory l1 l0 um29 . . . um0Read large user memory (EM4170)Second user memory um93 . . . um30Authentication, nC55 . . . nC0 , 07 , aCCar authenticated successful, send back aTFigure 5: Eavesdropped Megamos Crypto authentication using the 96-bit key 000000000000010405050905.The structure of the secret key of the car suggests that it has an entropy of only 24 bits.3.3 Reverse-engineering the ciphertom encoding scheme for status bits and a Manchesterencoding scheme for transmitting data bits. The Megamos Crypto immobilizer unit signals the transponder toreceive a command by dropping the field two consecutivetimes in a small time interval. Then it drops the field afew microseconds to modulate a zero and leaves the fieldon to modulate a one.Recent articles point out the lack of security [11, 40, 41]in modern cars. The software in existing cars is designedwith safety in mind, but is still immature in terms of security. Legacy protocols and technologies are often vulnerable to a number of remote and local exploits.Most car keys need to be preprogrammed, which isalso referred to as pre-coded, before they can be associated to a car. During this initialization phase the usermemory blocks are filled with manufacturer specific datato prevent mixing of keys. This step adds no security, itjust restricts the usage of keys that were meant a specificcar make or model.There are several car locksmith tools456 in the aftermarket that can initialize or change such transponderdata. Such tools fully support the modulation/encodingschemes and communication protocol of the Megamos Crypto transponder. They implement some publicly available functionality like the read, write andreset commands. However, they do not implementthe authentication protocol. To perform a successful authentication, knowledge of the Megamos Crypto cipheris necessary to compute the authentication messages aCand aT .More advanced car diagnostic tools like AVDI7 andTango Programmer8 offer functionality that goes beyond“legitimate” usage. These devices are able to dump theboard-computer memory, recover the dealer code, andadd a new blank transponder to the car. For this the toolsdo not require a genuine key to be present but they doneed physical access to the can bus.These diagnostic tools use the Megamos Crypto authentication functionality to speed up the process ofadding new transponders to the car. For this, the toolneeds the Megamos Crypto algorithm to compute validThis way of modulation introduces the side-effect thatthe immobilizer unit and the transponder could get outof-sync. When the immobilizer unit sends a bitstringof contiguous ones, there are no field drops for almost15 milliseconds. The manufacturer realized this was aproblem, but instead of proposing an alternative communication scheme they suggest to choose random numbers with more zeros’s than ones and especially avoid sequential ones [23]. From a security perspective it soundslike a bad idea to suggest to system integrators that theyshould effectively drop entropy from the used randomnumbers.To get a fair estimate of communication timings wedid some experiments. With our hardware setup we wereable to reach the highest communication speed with thetransponder that is possible according to the datasheet.It allows us to read out the identifier id in less than 14milliseconds and successfully authenticate within 34 milliseconds. These timings confirm that an adversary canwirelessly pickpocket the identifier and all its user memory in less than a second from a distance of one inch.Standing close to a victim for only a fraction of a secondenables the adversary to gather the transponder identifier.When this identifier is emulated to the correspondingcar, it is possible to gather partial authentication traces.Because the transponder lacks a random generator, thispartial traces can later be used to retrieve the responsesfrom the transponder which extends them to successfulauthentication traces. With a number of successful authentication traces it is possible to recover the secret keyas described in Section 5.4 http://www.istanbulanahtar.com5 http://www.advanced-diagnostics.co.uk6 http://www.jmausa.com7 http://www.abritus72.com8 http://www.scorpio-lk.com6708 22nd USENIX Security SymposiumUSENIX Association

Definition 3.2. The successor function for the Galois lin23ear feedback shift register G : F232 F2 F2 F2 is defined asG(g0 . . . g22 , i, j) ( j g22 )g0 g1 g2 (g3 g22 )(g4 i)(g5 g22 )(g6 g22 )g7 . . . g12 (g13 g22 )g14 g15authentication attempts. We would like to emphasizethat non of these tools is able to recover the secret keyof a transponder or perform any kind of cryptanalysis. Infact, within the legitimate automotive industry MegamosCrypto is believed to be unclonable.The software package that comes with the Tango Programmer implements all cryptographic operations of thetransponder including the Megamos Crypto cipher. Wehave analyzed the software thoroughly and extracted thealgorithm from it.Since the application implements several counter measures against reverse-engineering, this task was not trivial at all. It is highly protected with an executable obfuscator that runs a custom virtual machine, as describedin [51], and a number of advanced anti-debugging tricksto avoid exposure of its inner workings. To perform oursecurity evaluation of the Megamos Crypto cipher webypassed all these measures and reverse engineered thecipher in a semi-automatic way by observing the memory state changes and guessing the intermediate cryptographic calculations.Furthermore, we observed every Megamos Crypto related function call from the program instructions memory segment. When the program counter entered a suspicious memory segment, we invoked our clean-up routinethat automatically grouped and dropped all unnecessaryinstructions (unconditional re-routings, sequential operations on the same variables, random non-influential calculations). After analysing this at run-time, the actualworking of the algorithm was quickly deduced from theoptimized and simplified persistent instruction set.(g16 g22 )g17 . . . g21We also overload the function G to multiple-bit inputn 1string G : F23 F232 F2 F22 asG(g, i, j0 . . . jn ) G(G(g, i, j1 . . . jn ), i, j0 )Definition 3.3. The successor function for the non-linear13feedback shift register H : F132 F2 is defined asH(h0 . . . h12 ) ((h1 h8 ) (h9 h11) h12)h0 . . . h11Definition 3.4. The feedback function for the firs

Institute for Computing and InformationSciences, Radboud University Nijmegen, The Netherlands. rverdult@cs.ru.nl Flavio D. Garcia School of Computer Science, University of Birmingham, UK. f.garcia@cs.bham.ac.uk Barıs Ege Institute for Computing and Information Sciences, Radboud Univ