Veedub flub hubbub stubs car-jack hack flap
Rent a Ferrari today, crack its crypto and STEAL it tomorrow
Dutch and British researchers Roel Verdult and Baris Ege, the duo behind the revelation that many VW cars have a security flaw, have now revealed that Ferraris, Maseratis, Pontiacs, and Porches that use Megamos Crypto transponders can be stolen.
The duo demonstrated how the Megamos engine immobiliser, which unlocks when an owner's RFID chip is physically present, can be bypassed to steal the luxury cars.
They say the close-range wireless attacks could take place in "real-life situations" such as valet parking and car rental, feats made speedier with two actors targeting the car and key.
The work was almost revealed at the USENIX Security conference this month after Volkswagen spent some two years suppressing the work discovered in 2012.
Conference heads say the paper was withdrawn in response to an injunction by the UK High Court of Justice from publishing key sections of the paper, noting that the work is "important and relevant" to the security community.
The paper contains a redacted sentence that makes the hack harder to replicate.
The research pair of Radboud University Nijmegen, and the University of Birmingham, explain in the paper Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer [PDF] that the transponder is the most widely-used iof its kind found in Audis, Volvos, and Volkswagens.
They demonstrate three "practical" attacks that target a weak cipher and transponder update mechanism, managing to start a car in less than half an hour.
"Our first attack exploits weaknesses in the cipher design and in the authentication protocol. We show that having access to only two eavesdropped authentication traces is enough to recover the 96-bit secret key with a computational complexity of 256 cipher ticks (equivalent to 249 encryptions).
Our second attack exploits a weakness in the key-update mechanism of the transponder. This attack recovers the secret key after 3 × 216 authentication attempts with the transponder and negligible computational complexity. We have executed this attack in practice on several vehicles. We were able to recover the key and start the engine with a transponder emulating device. Executing this attack from beginning to end takes only 30 minutes.
Our third attack exploits the fact that some car manufacturers set weak cryptographic keys in their vehicles. We propose a time-memory trade-off which recovers such a weak key after a few minutes of computation on a standard laptop."
They say cars with keyless ignitions are particularly at risk because the cryptographic mechanisms were not strengthened to compensate for the removal of the mechanical key.
Auto-makers are strangely resistant to moving to superior chips that mitigate much of the attacks despite that the hardware costs less than US$1, the pair say. Vehicle recall costs would of course cost a lot more.
The first attack which targets "all vehicles using Megamos Crypto" exploits a lack of pseudo-random number generation allowing for replay attacks.
Verdult and Ege say car manufacturers should use randomly generated secret keys, set PINs, and write-lock memory after initialisation. These would defeat the researcher's attacks.
Drivers can buy a Proxmark 3 reader to check and set their lock-bits from zero to one to prevent write access to the transponder memory, and set the latest Megamos Crypto transponder to a random PIN.
The work marks the compromise of all four major engine immobilisers including DST, KeeLoq, and Hitag2. Manufacturer Atmel is the only to have published its open protocol design for public scrutiny, the researchers say. ®