A paper called “Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer” reveals massive weaknesses in the security systems used by many car manufacturers.
The vulnerabilities were uncovered by researchers two years ago, but because of legal action the findings could not be published at the time.
The research focusses on the Megamos Crypto transponder, which is used in electronic vehicle immobilizers. This transponder is a passive RFID tag which is embedded in the key of the vehicle.
The immobilizer is an anti-theft device, preventing the engine of a vehicle from starting when the key transponder is not present.
It is used by Audi, Fiat, Honda, Volkswagen and Volvo cars, as well as some models of Alfa Romeo, Chevrolet, Citroen, Isuzu, Kia, Opel, Porsche, and Ssangyong.
The researchers have reverse-engineered all proprietary security mechanisms of the transponder, including the cipher and the authentication protocol.
The paper reveals several weaknesses in the design of the cipher and the authentication protocol, and in their implementation.
“We exploit these weaknesses in three attacks that recover the 96-bit transponder secret key,” said the researchers. “These three attacks only require wireless communication with the system.”
- The first attack exploits weaknesses in the cipher design and in the authentication protocol. They show that having access to two eavesdropped authentication traces is enough to recover the 96-bit secret key with a computational complexity of 256 cipher ticks (equivalent to 249 encryptions).
- The second attack exploits a weakness in the key update mechanism of the transponder. This attack recovers the secret key after 3×216 authentication attempts with the transponder and negligible computational complexity. They have executed this attack in practice on several vehicles. They were able to recover the key and start the engine with a transponder-emulating device. Executing this attack takes 30 minutes.
- The third attack exploits the fact that some car manufacturers set weak cryptographic keys in their vehicles. They propose a time-memory trade-off which recovers a weak key after a few minutes of computation on a standard laptop.
The researchers warned that the implications of these attacks are serious for those vehicles with keyless ignition.
“At some point, the mechanical key was removed from the vehicle, but the cryptographic mechanisms were not strengthened to compensate.”
|Megamos Crypto vulnarability|
|Alfa Romeo||147, 156, GT|
|Audi||A1, A2, A3, A4 (2000), A6, A8, Allroad, Cabrio, Coupe, Q7, S2, S3, S4, S6, S8, TT (2000)|
|Chevrolet||Aveo, Kalos, Matiz, Nubira, Spark, Evanda, Tacuma|
|Citroen||Jumper (2008), Relay|
|Daewoo||Kalos, Lanos, Leganza, Matiz, Nubira, Tacuma|
|DAF||CF, LF, XF|
|Ferrari||California, 612 Schaglietti|
|Fiat||Albea, Dobl `o, Idea, Mille, Multipla, Palio, Punto (2002), Seicento, Siena, Stilo, Ducato (2004)|
|Honda||Accord, Civic, CR-V, FR-V, HR-V, Insight, Jazz (2002), Legend, Logo, S2000, Shuttle, Stream|
|Kia||Carnival, Clarus, Pride, Shuma, Sportage|
|Lancia||Lybra, Musa, Thesis, Y|
|Porsche||911, 968, Boxster|
|Seat||Altea, C ´ordoba, Ibiza, Leon, Toledo|
|Skoda||Fabia (2011), Felicia, Octavia, Roomster, Super, Yeti|
|Ssangyong||Korando, Musso, Rexton|
|Volkswagen||Amarok, Beetle, Bora, Caddy, Crafter, Cross Golf, Dasher, Eos, Fox, Gol, Golf (2006, 2008), Individual, Jetta, Multivan, New Beetle, Parati, Polo, Quantum, Rabbit, Saveiro, Santana, Scirocco (2011), Touran, Tiguan, Voyage, Passat (1998, 2005), Transporter|
|Volvo||C30, S40 (2005), S60, S80, V50, V70, XC70, XC90, XC94|