25C3 - 1.4.2.3
25th Chaos Communication Congress
Nothing to hide
Referenten | |
---|---|
Timo Kasper | |
Thomas Eisenbarth |
Programm | |
---|---|
Tag | Day 1 (2008-12-27) |
Raum | Saal 3 |
Beginn | 23:00 |
Dauer | 01:00 |
Info | |
ID | 3030 |
Veranstaltungstyp | lecture |
Track | Hacking |
Sprache der Veranstaltung | en |
Feedback | |
---|---|
Haben Sie diese Veranstaltung besucht? Feedback abgeben |
Messing Around with Garage Doors
Breaking Remote Keyless Entry Systems with Power Analysis
We demonstrate a complete break of the KeeLoq crypto-system. Thanks to Power Analysis, even non-specialists can gain access to objects secured by a KeeLoq access control system.
KeeLoq remote keyless entry (RKE) systems are widely used for access control purposes such as garage openers or car door systems. The talk will present the first successful differential power analysis (DPA) attacks on numerous commercially available products employing KeeLoq code hopping. They allow for efficiently revealing both the secret key of a remote transmitter and the manufacturer key stored in a receiver. As a result, a remote control can be cloned from only ten power traces, allowing for a practical key recovery in few minutes. After extracting the manufacturer key once, with similar techniques, it is possible to recover the secret key of a remote control and replicate it from a distance, just by eavesdropping on at most two messages. This key-cloning without physical access to the device has serious real-world security implications, as the technically challenging part can be outsourced to specialists. During the talk, the attack will be practically performed. Finally, it will be shown how to take over control of a KeeLoq access control system, i. e., lock out a legitimate user while the attacker may still open the door.