cosic
play

COSIC Ashur, Benedikt Gierlichs and Bart Preneel an imec research - PowerPoint PPT Presentation

Dec 26, 2022 •279 likes •659 views

Fast, Furious and Insecure Lennert Wouters , Eduard Marin, Tomer COSIC Ashur, Benedikt Gierlichs and Bart Preneel an imec research group at KU Leuven Lennert Wouters , Eduard Marin, Tomer Ashur, Benedikt Gierlichs and Bart Preneel Passive

  1. Fast, Furious and Insecure Lennert Wouters , Eduard Marin, Tomer COSIC Ashur, Benedikt Gierlichs and Bart Preneel an imec research group at KU Leuven Lennert Wouters , Eduard Marin, Tomer Ashur, Benedikt Gierlichs and Bart Preneel

  2. Passive Keyless Entry and Start Challenge Response 2 COSIC

  3. The Tesla Model S key fob PCB front PCB back TI TMS37F128 (X-Ray) UHF antenna TMS37126 (transponder) 3D LF SPI MicRF112 antenna transmitter IC MSP430 (MCU) 3 COSIC

  4. Getting started • Cannot order the IC’s from Farnell/ Digikey • Uncommon package (30 pin TSSOP – 0.5mm pitch) • Almost no public information on these chips (NDA) • The information that is available is inconsistent 4 COSIC

  5. Connecting to the TMS37126 SPI Slave Master 5 COSIC

  6. The Serial Peripheral Interface (SPI) 6 Source: http://www.ti.com/lit/an/spna147/spna147.pdf COSIC

  7. Uncovering undocumented SPI commands • SPI BUSY line indicates when the slave is ready for the next byte • The transponder indicates an error by pulling busy high or low for a long period • Observation 1: • Error if CMD value is incorrect • Observation 2: • If LEN is 0xFF and the CMD value is correct we get an error after the correct number of bytes (LEN) has been sent 7 COSIC

  8. Uncovering undocumented SPI commands Action LEN CMD WA DST40(C, K1) 0x06 0x84 NA DST_UNK(C, K1) 0x06 0x85 NA DST40(C, K2) 0x06 0x86 NA DST_UNK(C, K2) 0x06 0x87 NA Change K1 0x07 0x01 0x11 Change K2 0x07 0x01 0x12 8 COSIC

  9. Obtaining MSP430 firmware • Olimex MSP430-JTAG-TINY-V2 programmer • JTAG fuse wasn’t blown 9 COSIC

  10. MSP430 Static firmware analysis • Interrupt Vector Table (IVT) • References to Special Function Registers (SFR) • SPI transmit and receive buffers 10 More info: POC||GTFO 0x11: A TOURIST'S GUIDE TO MSP430 COSIC

  11. MSP430 Dynamic firmware analysis • MSPDebug + Olimex MSP430-JTAG-TINY-V2 • MSP430F1232 supports up to two breakpoints • Caveat: some debug pins are shared with IO and can trigger interrupts • Inspect interesting routines + dump RAM and register values • Retrieve bytes exchanged over SPI • The firmware is only using CMD 0x86 (DST40) during normal operation 11 COSIC

  12. Texas Instruments Digital Signature Transponder (DST) • DST40 • Introduced in 2000 • 40-bit key • Security Analysis of a Cryptographically-Enabled RFID Device (2005) • S Bono, M Green, A Stubblefield, A Juels, AD Rubin • Used for immobilizer by Ford, Lincoln, Mercury, Nissan and Toyota • Exxon- Mobil’s Speedpass payment system 12 COSIC

  13. DST40 Cipher Challenge register Key register Key schedule is executed every 3 rd round starting in the 2 nd 13 COSIC

  14. RF reverse engineering 14 COSIC

  15. Key fob RF operation • Two separate systems: • Remote Keyless Entry (RKE) • Actions are performed by pressing a button • One way communication • Passive Keyless Entry and Start (PKES) • The car is unlocked automatically if the key fob is in proximity of the vehicle • Two way communication 15 COSIC

  16. Passive Keyless Entry and Start • Ultra High Frequency (433.92 MHz) • From key fob to car • Easy to receive using widely available tools • SDR or Yard Stick One (CC1111) • Low Frequency (134.2 kHz) • From car to key fob • More challenging to receive 16 COSIC

  17. Low Frequency • Proxmark3 • Added DST transponder code for the AT91SAM microcontroller • Hardware modification to boost receiver range • Custom peak detect code for the FPGA 17 COSIC

  18. 18 COSIC

  19. Receiving LF signals 19 COSIC

  20. PKES Protocol analyzer Yard Stick One (UHF) Proxmark 3 (LF) 20 COSIC

  21. PKES protocol 21 COSIC

  22. A car only attack • Receive the 40-bit challenge • ~2 16 keys produce the correct response • Guess a key and transmit the response • After on average 2 23 guesses you will have a valid challenge response pair • Assuming 1 guess per second → 97 days • Can be automated 22 COSIC

  23. Proof of Concept 23 COSIC

  24. DST40 key recovery • 40-bit challenge is combined with a 40-bit key resulting in a 24-bit response • For each 40-bit challenge multiple keys produce the same response • Need two challenge response pairs to recover the key 24 COSIC

  25. DST40 key recovery • The key fob cannot verify the sender of a challenge • The key fob replies to any challenge it receives as long as the car ID is correct • Time-Memory Trade-Off Table • Simplified pseudocode: challenge = 0x636f736963 for key in range (0, 2 40 ): response = DST40(challenge, key) responseFile.append(key) • 2 24 files each containing ~2 16 40-bit keys 25 COSIC

  26. Cloning a key fob • Retrieve the 2-byte car ID (sniff or brute force) • Send challenge 0x636f736963 to the key fob • Use the response to select the correct TMTO file • Send a different challenge and record the response • Test the remaining ~2 16 keys for key in TMTO_File: resp = DST40(challenge2, key) if resp == response2: return key 26 COSIC

  27. Proof of Concept attack 27 COSIC

  28. Responsible disclosure 28 COSIC

  29. 29 COSIC

  30. Responsible disclosure • First notified Tesla on 31/08/2017 • Tesla vehicles produced from June 2018 onwards use a new key fob • OTA update includes a Pin to Drive feature and the ability to disable PKE 30 COSIC

  31. Conclusions (yes, this is 2019) • Some manufacturers and chip vendors still rely on: • proprietary cryptography • NDAs and secrecy of datasheets • (See also Helena Handschuh’s talk) • tier 1 or tier 2 suppliers to get security right • secrecy of firmware 31 COSIC

  32. Conclusions 32 COSIC

  33. Demo video: https://www.youtube.com/watch?v=aVlYuPzmJoY 33 COSIC

  34. Oops!... I did it again. 34 an imec research group at COSIC

  35. The new key fob • Hardware looks identical, JTAG is locked and the key fob is using DST80 • Trick the key fob into computing DST40 using only half of the 80-bit key! • Allows to recover the DST80 key with twice the amount of resources • 2 x 5,4TB and 2 x 2s • The attack requires close range to the fob, making it more difficult to execute • Cars being produced today are already using a new (new) key fob • Tesla has already begun to roll out a software update to applicable customers! 35 COSIC

  36. 36 Picture source: TrevP, https://teslaownersonline.com/threads/software-update-2019-32.13901/ COSIC

  37. Questions? @LennertWo @CosicBe lennert.wouters@esat.kuleuven.be 37 an imec research group at COSIC

Recommend

COSIC COSIC Korea University K.U. Leuven FSE 2007

COSIC COSIC Korea University K.U. Leuven FSE 2007

FSE 2007 in Luxembourg, 2007/Mar./26~28 Related-Key Rectangle Attacks on Reduced AES-192 and AES-256 Jointly worked with Seokhie Hong and Bart Preneel, Speaker: Jongsung Kim COSIC COSIC Korea University K.U. Leuven FSE 2007

874 views • 25 slides
COSIC A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 1 /

COSIC A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 1 /

A Framework for Cryptographic Problems from Linear Algebra Carl Bootland , Wouter Castryck, Alan Szepieniec and Frederik Vercauteren Dept. of Electrical Engineering, COSIC KU Leuven COSIC A Framework for Cryptographic Problems from Linear

731 views • 48 slides
Lightweight Cryptography and and RFID Security Svetla Nikova COSIC KUL COSIC, KULeuven and

Lightweight Cryptography and and RFID Security Svetla Nikova COSIC KUL COSIC, KULeuven and

Lightweight Cryptography and and RFID Security Svetla Nikova COSIC KUL COSIC, KULeuven and UTwente d UT t Overview Lightweight cryptography - state of the art Comparison Standard vs. Lightweight Comparison Standard vs. Lightweight

599 views • 39 slides
Introduction to Side-Channel Attacks Josep Balasch KU Leuven ESAT / COSIC 15th International

Introduction to Side-Channel Attacks Josep Balasch KU Leuven ESAT / COSIC 15th International

Introduction to Side-Channel Attacks Josep Balasch KU Leuven ESAT / COSIC 15th International COSIC Course Leuven, Belgium, 18 June 2015 Acknowledgements: Benedikt Gierlichs, Ingrid Verbauwhede, Patrick Schaumont, Kris Tiri, Bart Preneel,

920 views • 62 slides
Block cipher invariants as eigenvectors of correlation matrices Tim Beyne COSIC / ESAT, KULeuven

Block cipher invariants as eigenvectors of correlation matrices Tim Beyne COSIC / ESAT, KULeuven

Block cipher invariants as eigenvectors of correlation matrices Tim Beyne COSIC / ESAT, KULeuven December 3, 2018 COSIC Joan Daemen 2 Joan Daemen 2 Invariant subspaces and nonlinear invariants [Leander et al., 2011] x y E K K is a weak

614 views • 34 slides
Website Fingerprinting Attacks and Defenses in the Tor Onion Space Marc Juarez imec-COSIC KU

Website Fingerprinting Attacks and Defenses in the Tor Onion Space Marc Juarez imec-COSIC KU

Website Fingerprinting Attacks and Defenses in the Tor Onion Space Marc Juarez imec-COSIC KU Leuven COSIC Seminar - 23rd October 2017, Leuven Introduction Contents of this presentation: - PETS17: Website Fingerprinting Defenses at

658 views • 44 slides
Practical Collisions for EnRUPT Sebastiaan Indesteege Bart Preneel COSIC, ESAT, K.U. Leuven,

Practical Collisions for EnRUPT Sebastiaan Indesteege Bart Preneel COSIC, ESAT, K.U. Leuven,

Practical Collisions for EnRUPT Sebastiaan Indesteege Bart Preneel COSIC, ESAT, K.U. Leuven, Belgium Fast Software Encryption 2009 Sebastiaan Indesteege (COSIC) Practical Collisions for EnRUPT 1/27 Outline 1 Introduction 2 Description of

704 views • 69 slides
W e b s i t e F i n g e r p r i n tj n g Claudia Diaz KU Leuven COSIC (With thanks to Marc

W e b s i t e F i n g e r p r i n tj n g Claudia Diaz KU Leuven COSIC (With thanks to Marc

W e b s i t e F i n g e r p r i n tj n g Claudia Diaz KU Leuven COSIC (With thanks to Marc Juarez and Bekah Overdorf) Summer School on real-world crypto and privacy June 2017 Outline Website Fingerprintjng for htups sites Website

599 views • 48 slides
K.U.Leuven ESAT/SCD/COSIC Computer Security and Industrial Cryptography Danny De Cock

K.U.Leuven ESAT/SCD/COSIC Computer Security and Industrial Cryptography Danny De Cock

K.U.Leuven ESAT/SCD/COSIC Computer Security and Industrial Cryptography Danny De Cock Danny.DeCock@esat.kuleuven.be Katholieke Universiteit Leuven/Dept. Elektrotechniek (ESAT) Computer Security and Industrial Cryptography (COSIC) Kasteelpark

308 views • 16 slides
Cryptanalysis of the Legendre PRF and Generalizations W. Beullens 1 T. Beyne 1 A. Udovenko 2 G.

Cryptanalysis of the Legendre PRF and Generalizations W. Beullens 1 T. Beyne 1 A. Udovenko 2 G.

Cryptanalysis of the Legendre PRF and Generalizations W. Beullens 1 T. Beyne 1 A. Udovenko 2 G. Vitto 2 1 imec-COSIC, ESAT, KULeuven 2 SnT, University of Luxembourg November 13, 2020 COSIC Legendre symbol Early 1900s: equidistribution results

977 views • 30 slides
A Perspective on Cryptocurrencies BART PRENEEL IMEC-COSIC KU LEUVEN

A Perspective on Cryptocurrencies BART PRENEEL IMEC-COSIC KU LEUVEN

A Perspective on Cryptocurrencies BART PRENEEL IMEC-COSIC KU LEUVEN BART.PRENEEL(AT)ESAT.KULEUVEN.BE 4 SEPTEMBER 2017 1 Currencies = maintaining memory Envelope and contents from Susa, Iran, ca 3300 BCE Each lenticular disc stands

685 views • 55 slides
Page 1 Ingrid Verbauwhede, KU Leuven COSIC, ALBENA, July 2013 Outline Transistor CMOS

Page 1 Ingrid Verbauwhede, KU Leuven COSIC, ALBENA, July 2013 Outline Transistor CMOS

Goal Digital Circuits: Fundamental understanding of CMOS circuits why they leak, how to counter Ingrid Verbauwhede So as to build models Ingrid.verbauwhede-at-esat.kuleuven.be And understand short comings of models KU Leuven, COSIC

381 views • 15 slides
Pairings on Elliptic Curves II Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium ECC Summer

Pairings on Elliptic Curves II Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium ECC Summer

Choosing G 1 and G 2 Ate Pairing Optimal Pairing Pairings on Elliptic Curves II Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium ECC Summer School - 2011 Fr e Vercauteren ESAT/COSIC - K.U. Leuven - Belgium Pairings on Elliptic

289 views • 24 slides
Public key cryptography on IoT devices Sujoy Sinha Roy COSIC, KU Leuven 1 Small area for HW

Public key cryptography on IoT devices Sujoy Sinha Roy COSIC, KU Leuven 1 Small area for HW

Public key cryptography on IoT devices Sujoy Sinha Roy COSIC, KU Leuven 1 Small area for HW implementations Small code size for SW implementation Low power or energy or both Reasonably fast computation time 2 This talk

676 views • 43 slides
Trusted Platform Module Dries Schellekens COSIC, KU Leuven Nomenclature Trusted versus

Trusted Platform Module Dries Schellekens COSIC, KU Leuven Nomenclature Trusted versus

Trusted Platform Module Dries Schellekens COSIC, KU Leuven Nomenclature Trusted versus trustworthy RFC 4949 (Internet Security Glossary) Trust : A feeling of certainty (sometimes based on inconclusive evidence) either (a) that the system

788 views • 33 slides
Introduction to Power Analysis Benedikt Gierlichs Katholieke Universiteit Leuven COSIC

Introduction to Power Analysis Benedikt Gierlichs Katholieke Universiteit Leuven COSIC

Introduction to Power Analysis Benedikt Gierlichs Katholieke Universiteit Leuven COSIC benedikt.gierlichs@esat.kuleuven.be ECRYPT II Summer School Design and Security of Cryptographic Algorithms and Devices Albena, Bulgaria, 31 May 2011

452 views • 23 slides
1 Devris Isler , imec-COSIC, KU Leuven, Leuven, Belgium Alptekin Kupcu, Aykut

1 Devris Isler , imec-COSIC, KU Leuven, Leuven, Belgium Alptekin Kupcu, Aykut

1 Devris Isler , imec-COSIC, KU Leuven, Leuven, Belgium Alptekin Kupcu, Aykut Coskun, Koc University, Istanbul, Turkey User Perceptions of Security and Usability of Mobile-based SPA and 2FA 9/26/19 Introduction Two

585 views • 31 slides
Connecting Academic Security Research to Applied Systems in the Field Dr. Danny De Cock 6

Connecting Academic Security Research to Applied Systems in the Field Dr. Danny De Cock 6

Connecting Academic Security Research to Applied Systems in the Field Dr. Danny De Cock 6 October 2016 COSIC Staff Department Electrical Engineering-ESAT COSIC = COmputer Security and Industrial Cryptography ( o 1978) 5 full-time 90

502 views • 28 slides
Protocol Design Jens Hermans & Roel Peeters, KU Leuven/COSIC The ideal protocol

Protocol Design Jens Hermans & Roel Peeters, KU Leuven/COSIC The ideal protocol

Protocol Design Jens Hermans & Roel Peeters, KU Leuven/COSIC The ideal protocol serves exactly the applications needs comes at a low cost is simple (elegant) is efficiently implementable is provably

1.21k views • 87 slides
Standardization of Simon and Speck Tomer Ashur, Atul Luykx Imec-COSIC KU Leuven ISO/IEC Meeting,

Standardization of Simon and Speck Tomer Ashur, Atul Luykx Imec-COSIC KU Leuven ISO/IEC Meeting,

An Account of the ISO/IEC Standardization of Simon and Speck Tomer Ashur, Atul Luykx Imec-COSIC KU Leuven ISO/IEC Meeting, Jaipur, India Dual EC NSA-designed PRNG (DRBG) Backdoored Snowden revelations: Project Bullrun

771 views • 24 slides
Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven

Cube Attacks on Stream Ciphers Based on Division Property Chaoyun Li ESAT-COSIC, KU Leuven 12-10-2017, Crete Chaoyun Li (ESAT-COSIC, KU Leuven) Cube attacks 12-10-2017, Crete 1 / 23 Plan Cube Attack: An Introduction 1 Cube Attacks with

389 views • 24 slides
The need for hardware roots of trust Ingrid Verbauwhede KU Leuven, ESAT - COSIC ibenik June

The need for hardware roots of trust Ingrid Verbauwhede KU Leuven, ESAT - COSIC ibenik June

Ingrid Verbauwhede 6/21/19 The need for hardware roots of trust Ingrid Verbauwhede KU Leuven, ESAT - COSIC ibenik June 21, 2019 Slides credit: Milo Gruji , Jeroen Delvaux, Kent Chuang, Adriaan Peetermans, Roel Maes and other PhD

799 views • 30 slides
Symmetric-key Cryptography: an Engineering Perspective Nicky Mouha 1 ESAT/COSIC, KU Leuven and

Symmetric-key Cryptography: an Engineering Perspective Nicky Mouha 1 ESAT/COSIC, KU Leuven and

Symmetric-key Cryptography: an Engineering Perspective Nicky Mouha 1 ESAT/COSIC, KU Leuven and iMinds, Belgium 2 Project-team SECRET, Inria, France ASK 2014 December 19, 2014 1 / 44 Overview Engineering Perspective Design, analysis,

873 views • 84 slides
Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan)

Masking schemes: evaluation Oscar Reparaz COSIC/KU Leuven PROOFS Taipei (Taiwan) 2017-09-29 1 quick intro to masking masking = countermeasure against DPA idea: secret sharing b = b 1 + b 2 individual shares tell you nothing

752 views • 45 slides

More recommend