Fast, furious and insecure: passive keyless entry and start systems in modern supercars

Lennert  Wouters; Eduard  Marin; Tomer Ashur; Benedikt  Gierlichs; Bart Preneel

doi:10.13154/tches.v2019.i3.66-85

Fast, furious and insecure: passive keyless entry and start systems in modern supercars

Lennert Wouters, Eduard Marin, Tomer Ashur, Benedikt Gierlichs, Bart Preneel

Research output: Contribution to journal › Article › Academic › peer-review

25 Citations (Scopus)

586 Downloads (Pure)

Abstract

The security of immobiliser and Remote Keyless Entry systems has been extensively studied over many years. Passive Keyless Entry and Start systems, which are currently deployed in luxury vehicles, have not received much attention besides relay attacks. In this work we fully reverse engineer a Passive Keyless Entry and Start system and perform a thorough analysis of its security.
Our research reveals several security weaknesses. Specifically, we document the use of an inadequate proprietary cipher using 40-bit keys, the lack of mutual authentication in the challenge-response protocol, no firmware readout protection features enabled and the absence of security partitioning.
In order to validate our findings, we implement a full proof of concept attack allowing us to clone a Tesla Model S key fob in a matter of seconds with low cost commercial off the shelf equipment. Our findings most likely apply to other manufacturers of luxury vehicles including McLaren, Karma and Triumph motorcycles as they all use the same system developed by Pektron.

Original language	English
Pages (from-to)	66-85
Number of pages	20
Journal	IACR Transactions on Cryptographic Hardware and Embedded Systems
Volume	2019
Issue number	3
DOIs	https://doi.org/10.13154/tches.v2019.i3.66-85
Publication status	Published - 9 May 2019
Externally published	Yes

Keywords

Tesla
McLaren
Karma
Triumph
Pektron
DST40
Digital Signature Transponder
Reverse engineering
Passive Keyless Entry and Start

Access to Document

10.13154/tches.v2019.i3.66-85Licence: CC BY

Publishers versionFinal published version, 6.02 MBLicence: CC BY

Cite this

@article{0b65d0e294a540f182a28128833f188d,

title = "Fast, furious and insecure: passive keyless entry and start systems in modern supercars",

abstract = "The security of immobiliser and Remote Keyless Entry systems has been extensively studied over many years. Passive Keyless Entry and Start systems, which are currently deployed in luxury vehicles, have not received much attention besides relay attacks. In this work we fully reverse engineer a Passive Keyless Entry and Start system and perform a thorough analysis of its security.Our research reveals several security weaknesses. Specifically, we document the use of an inadequate proprietary cipher using 40-bit keys, the lack of mutual authentication in the challenge-response protocol, no firmware readout protection features enabled and the absence of security partitioning.In order to validate our findings, we implement a full proof of concept attack allowing us to clone a Tesla Model S key fob in a matter of seconds with low cost commercial off the shelf equipment. Our findings most likely apply to other manufacturers of luxury vehicles including McLaren, Karma and Triumph motorcycles as they all use the same system developed by Pektron.",

keywords = "Tesla, McLaren, Karma, Triumph, Pektron, DST40, Digital Signature Transponder, Reverse engineering, Passive Keyless Entry and Start",

author = "Lennert Wouters and Eduard Marin and Tomer Ashur and Benedikt Gierlichs and Bart Preneel",

year = "2019",

month = may,

day = "9",

doi = "10.13154/tches.v2019.i3.66-85",

language = "English",

volume = "2019",

pages = "66--85",

journal = "IACR Transactions on Cryptographic Hardware and Embedded Systems",

issn = "2569-2925",

publisher = "Ruhr-University Bochum",

number = "3",

}

TY - JOUR

T1 - Fast, furious and insecure

T2 - passive keyless entry and start systems in modern supercars

AU - Wouters, Lennert

AU - Marin, Eduard

AU - Ashur, Tomer

AU - Gierlichs, Benedikt

AU - Preneel, Bart

PY - 2019/5/9

Y1 - 2019/5/9

N2 - The security of immobiliser and Remote Keyless Entry systems has been extensively studied over many years. Passive Keyless Entry and Start systems, which are currently deployed in luxury vehicles, have not received much attention besides relay attacks. In this work we fully reverse engineer a Passive Keyless Entry and Start system and perform a thorough analysis of its security.Our research reveals several security weaknesses. Specifically, we document the use of an inadequate proprietary cipher using 40-bit keys, the lack of mutual authentication in the challenge-response protocol, no firmware readout protection features enabled and the absence of security partitioning.In order to validate our findings, we implement a full proof of concept attack allowing us to clone a Tesla Model S key fob in a matter of seconds with low cost commercial off the shelf equipment. Our findings most likely apply to other manufacturers of luxury vehicles including McLaren, Karma and Triumph motorcycles as they all use the same system developed by Pektron.

AB - The security of immobiliser and Remote Keyless Entry systems has been extensively studied over many years. Passive Keyless Entry and Start systems, which are currently deployed in luxury vehicles, have not received much attention besides relay attacks. In this work we fully reverse engineer a Passive Keyless Entry and Start system and perform a thorough analysis of its security.Our research reveals several security weaknesses. Specifically, we document the use of an inadequate proprietary cipher using 40-bit keys, the lack of mutual authentication in the challenge-response protocol, no firmware readout protection features enabled and the absence of security partitioning.In order to validate our findings, we implement a full proof of concept attack allowing us to clone a Tesla Model S key fob in a matter of seconds with low cost commercial off the shelf equipment. Our findings most likely apply to other manufacturers of luxury vehicles including McLaren, Karma and Triumph motorcycles as they all use the same system developed by Pektron.

KW - Tesla

KW - McLaren

KW - Karma

KW - Triumph

KW - Pektron

KW - DST40

KW - Digital Signature Transponder

KW - Reverse engineering

KW - Passive Keyless Entry and Start

UR - http://www.scopus.com/inward/record.url?scp=85078328802&partnerID=8YFLogxK

U2 - 10.13154/tches.v2019.i3.66-85

DO - 10.13154/tches.v2019.i3.66-85

M3 - Article

SN - 2569-2925

VL - 2019

SP - 66

EP - 85

JO - IACR Transactions on Cryptographic Hardware and Embedded Systems

JF - IACR Transactions on Cryptographic Hardware and Embedded Systems

IS - 3

ER -

Fast, furious and insecure: passive keyless entry and start systems in modern supercars

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Fast, Furious and Insecure: Passive Keyless Entry and Start in Modern Supercars

Cite this

Fast, furious and insecure: passive keyless entry and start systems in modern supercars

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Press/Media

Fast, Furious and Insecure: Passive Keyless Entry and Start in Modern Supercars

Cite this