International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Dismantling DST80-based Immobiliser Systems

Authors:
Lennert Wouters , imec-COSIC, KU Leuven Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium
Jan Van den Herrewegen , School of Computer Science, University of Birmingham, UK
Flavio D. Garcia , School of Computer Science, University of Birmingham, UK
David Oswald , School of Computer Science, University of Birmingham, UK
Benedikt Gierlichs , imec-COSIC, KU Leuven Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium
Bart Preneel , imec-COSIC, KU Leuven Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium
Download:
DOI: 10.13154/tches.v2020.i2.99-127
URL: https://tches.iacr.org/index.php/TCHES/article/view/8546
Search ePrint
Search Google
Abstract: Car manufacturers deploy vehicle immobiliser systems in order to prevent car theft. However, in many cases the underlying cryptographic primitives used to authenticate a transponder are proprietary in nature and thus not open to public scrutiny. In this paper we publish the proprietary Texas Instruments DST80 cipher used in immobilisers of several manufacturers. Additionally, we expose serious flaws in immobiliser systems of major car manufacturers such as Toyota, Kia, Hyundai and Tesla. Specifically, by voltage glitching the firmware protection mechanisms of the microcontroller, we extracted the firmware from several immobiliser ECUs and reverse engineered the key diversification schemes employed within. We discovered that Kia and Hyundai immobiliser keys have only three bytes of entropy and that Toyota only relies on publicly readable information such as the transponder serial number and three constants to generate cryptographic keys. Furthermore, we present several practical attacks which can lead to recovering the full 80-bit cryptographic key in a matter of seconds or permanently disabling the transponder. Finally, even without key management or configuration issues, we demonstrate how an attacker can recover the cryptographic key using a profiled side-channel attack. We target the key loading procedure and investigate the practical applicability in the context of portability. Our work once again highlights the issues automotive vendors face in implementing cryptography securely.
Video from TCHES 2020
BibTeX
@article{tches-2020-30156,
  title={Dismantling DST80-based Immobiliser Systems},
  journal={IACR Transactions on Cryptographic Hardware and Embedded Systems},
  publisher={Ruhr-Universität Bochum},
  volume={2020, Issue 2},
  pages={99-127},
  url={https://tches.iacr.org/index.php/TCHES/article/view/8546},
  doi={10.13154/tches.v2020.i2.99-127},
  author={Lennert Wouters and Jan Van den Herrewegen and Flavio D. Garcia and David Oswald and Benedikt Gierlichs and Bart Preneel},
  year=2020
}