Fast, furious and insecure: passive keyless entry and start systems in modern supercars

Lennert Wouters, Eduard Marin, Tomer Ashur, Benedikt Gierlichs, Bart Preneel

Research output: Contribution to journalArticleAcademicpeer-review

100 Downloads (Pure)

Abstract

The security of immobiliser and Remote Keyless Entry systems has been extensively studied over many years. Passive Keyless Entry and Start systems, which are currently deployed in luxury vehicles, have not received much attention besides relay attacks. In this work we fully reverse engineer a Passive Keyless Entry and Start system and perform a thorough analysis of its security.
Our research reveals several security weaknesses. Specifically, we document the use of an inadequate proprietary cipher using 40-bit keys, the lack of mutual authentication in the challenge-response protocol, no firmware readout protection features enabled and the absence of security partitioning.
In order to validate our findings, we implement a full proof of concept attack allowing us to clone a Tesla Model S key fob in a matter of seconds with low cost commercial off the shelf equipment. Our findings most likely apply to other manufacturers of luxury vehicles including McLaren, Karma and Triumph motorcycles as they all use the same system developed by Pektron.
Original languageEnglish
Pages (from-to)66-85
JournalIACR Transactions on Cryptographic Hardware and Embedded Systems (TCHES)
Volume2019
Issue number3
DOIs
Publication statusPublished - 9 May 2019
Externally publishedYes

Keywords

  • Tesla
  • McLaren
  • Karma
  • Triumph
  • Pektron
  • DST40

Fingerprint Dive into the research topics of 'Fast, furious and insecure: passive keyless entry and start systems in modern supercars'. Together they form a unique fingerprint.

Cite this