Affiliation:
1. Institute for Infocomm Research (I2R), A*STAR, Singapore
2. NCS Group, Singapore
3. DSBJ Pte. Ltd., Singapore
4. School of Computing, National University of Singapore, Singapore
5. Department of Electrical and Computer Engineering, College of Design and Engineering, National University of Singapore, Singapore
Abstract
Automotive Keyless Entry (RKE) systems provide car owners with a degree of convenience, allowing them to lock and unlock their car without using a mechanical key. Today’s RKE systems implement disposable rolling codes, making every key fob button press unique, effectively preventing simple replay attacks. However, a prior attack called RollJam was proven to break all rolling code–based systems in general. By a careful sequence of signal jamming, capturing, and replaying, an attacker can become aware of the subsequent valid unlock signal that has not been used yet. RollJam, however, requires continuous deployment indefinitely until it is exploited. Otherwise, the captured signals become invalid if the key fob is used again without RollJam in place.
We introduce RollBack, a new replay-and-resynchronize attack against most of today’s RKE systems. In particular, we show that even though the one-time code becomes invalid in rolling code systems, replaying a few previously captured signals consecutively can trigger a rollback-like mechanism in the RKE system. Put differently, the rolling codes become resynchronized back to a previous code used in the past from where all subsequent yet already used signals work again. Moreover, the victim can still use the key fob without noticing any difference before and after the attack.
Unlike RollJam, RollBack does not necessitate jamming at all. In fact, it requires signal capturing only once and can be exploited at any time in the future as many times as desired. This time-agnostic property is particularly attractive to attackers, especially in car-sharing/renting scenarios in which accessing the key fob is straightforward. However, while RollJam defeats virtually any rolling code–based system, vehicles might have additional anti-theft measures against malfunctioning key fobs, hence against RollBack. Our ongoing analysis (with crowd-sourced data) against different vehicle makes and models has revealed that ∼ 50% of the examined vehicles in the Asian region are vulnerable to RollBack, whereas the impact tends to be smaller in other regions, such as Europe and North America.
Funder
National University of Singapore
NCS Group
Publisher
Association for Computing Machinery (ACM)
Subject
Artificial Intelligence,Control and Optimization,Computer Networks and Communications,Hardware and Architecture,Human-Computer Interaction
Reference46 articles.
1. A Practical Attack on KeeLoq
2. Honda key fob hack could leave all vehicle models since 2012 vulnerable: reports;Barrabi Thomas;New York Post [Online],2022
3. Andrey Bogdanov. 2007. Attacks on the KeeLoq Block Cipher and Authentication Systems. (2007) 13 pages.
4. Bosch. 2022. Electronic Power Steering (EPS). https://bit.ly/2ZJNI7k Accessed: July 2022.
5. RollBack — A New Time-Agnostic Replay Attack Against the Automotive Remote Keyless Entry Systems;Csikor Levente;Presentation at BlackHat,2022