Researchers exploited vulnerability in Megamos Crypto transponder which is used in Anti theft vehicle devices to hack a car wirelessly.
Car hacking ain't new anymore, we've seen the demonstration by Charlie Miller and Chris Valasek on hacking an internet connected car remotely. Adding to the list, recently publicized research findings shows the presence of some serious vulnerabilities which the hackers can exploit to start the cars without the need of a key.
Vulnerability found in Megamos Crypto transponder
The Megamos Crypto transponder is used in most Audi, Fiat, Honda, Volkswagen and Volvo cars. It is a part of the anti-theft system which prevents the engine of the vehicle from starting when the corresponding transponder is not present. This transponder is a passive RFID tag which is usually embedded in the key of the vehicle. Audi, Ferrari, Fiat, Cadillac, Volkswagen are just a few names automakers include in a list or two dozen companies that adopt the flawed components.
Exploiting The Vulnerability
As per the paper titled 'Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer', researchers reverse-engineered the software running on the transponder, with their prime focus on the analysis of proprietary security mechanisms implemented by the manufacturers. They have found three ways to run an attack against the transponder and bypass the authentication mechanism by recovering the 96-bit transponder secret key. According to them,
“Our first attack consists of a cryptanalysis of the cipher and the authentication protocol. Our second and third attack not only look at the cipher but also at the way in which it is implemented and poorly configured by the automotive industry.”
It exploits the following weaknesses:
These research findings are, however, a few years old. An attempt to present the paper at the 22nd USENIX Security Symposium in 2013 was prevented by Volkswagen. Even though 3 years have passed since the first discovery of the flaw, more or less the security issues addressed are still relevant as the components present in modern connected more or less similar.
· The transponder lacks a pseudo-random number generator.
· The internal state of the cipher consists of only 56 bits, cipher-text comparing to the 96-bit secret key.
· The cipher state successor function can be inverted, given an internal state and the correspond ciphertext it is possible to compute the predecessor state.
· The last steps of the authentication protocol provides and adversary with 15-bits of known plain text.
“Our second attack exploits a weakness in the key-update mechanism of the transponder. This attack recovers the secret key after 3 × 216 authentication attempts with the transponder and negligible computational complexity. We have executed this attack in practice on several vehicles. We were able to recover the key and start the engine with a transponder emulating device. Executing this attack from beginning to end takes only 30 minutes.
Our third attack exploits the fact that some car manufacturers set weak cryptographic keys in their vehicles. We propose a time-memory trade-off which recovers such a weak key after a few minutes of computation on a standard laptop.”
“It is also possible to foresee a setup with two perpetrators, one interacting with the car and one wirelessly pickpocketing the car key from the victims pocket,” explained the researcher. “Our attacks require close range wireless communication with both the immobilizer unit and the transponder.”
COMMENTS