Presented at
Black Hat USA 2022,
Aug. 11, 2022, 1:30 p.m.
(40 minutes).
<div><span>Automotive Remote Keyless Entry (RKE) systems implement disposable </span><span>rolling codes, making every key fob button press unique, effectively </span><span>preventing simple replay attacks. However, RollJam was proven to break </span><span>all rolling code-based systems in general. By a careful sequence of </span><span>signal jamming, capturing, and replaying, an attacker can become aware </span><span>of the subsequent valid unlock signal that has not been used yet. </span><span>RollJam, however, requires continuous deployment indefinitely until it </span><span>is exploited. Otherwise, the captured signals become invalid if the key fob</span><span> is used again without RollJam in place.</span></div><div><span><br></span></div><div><span>We introduce RollBack, a new replay-and-resynchronize attack against </span><span>most of today's RKE systems. </span><span>In particular, we show that even though the one-time code becomes </span><span>invalid in rolling code systems, there is a way to utilize and replay </span><span>previously captured signals that trigger a rollback-like mechanism in </span><span>the RKE system. Put differently, the rolling codes can be </span><span>resynchronized back to a previous code used in the past from where all </span><span>subsequent yet already used signals work again. </span><span>Moreover, the victim can still use the key fob without noticing any </span><span>difference before and after the attack.</span></div><div><span><br></span></div><div><span>Unlike RollJam, RollBack does not necessitate jamming at all. </span><span>Furthermore, it requires signal capturing only once and can be</span></div><div><span>exploited any time in the future as many times as desired. This time-</span><span>agnostic property is particularly attractive to attackers, especially </span><span>in car-sharing/renting scenarios where accessing the key fob is </span><span>straightforward. However, while RollJam defeats virtually any rolling </span><span>code-based system, vehicles might have additional anti-theft measures </span><span>against malfunctioning key fobs, hence against RollBack. Our ongoing </span><span>analysis (covering the Asian vehicle manufacturers for the time being) </span><span>against different vehicle makes, models, and RKE manufacturers revealed </span><span>that ~70% of them are vulnerable to RollBack. Since most of the RKE </span><span>transceivers from three out of the four (identified) manufacturers were </span><span>vulnerable, the impact is expected to be bigger worldwide.</span></div>
Presenters:
-
Levente Csikor
- Senior Research Scientist, NCS Group / Institute for Infocomm Research, A*STAR
<div><span>Levente Csikor (PhD) has recently become a Scientist III at the Institute of Incofomminucation Research (I2R) at A*STAR, Singapore, where he primarily focuses on zero-trust networks.</span></div><div><span><br></span></div><div><span>Most of the research work proposed to BlackHat USA 2022 was done when Levente was a Senior Research Scientist at NCS Cyber (Singtel Group). </span><span>During that period, he focused on the network security aspects of applications and use-cases fostered by 5G, including automotive applications, IoT, robotics, and IPv6. </span></div><div><span><br></span></div><div><span>Before joining NCS Cyber, he worked for Trustwave and Singtel Cyber Security as a Lead Research Scientist. He was also a Senior Research Fellow at the NUS-Singtel Cyber Security R&D Laboratory at the National University of Singapore between 2019 and 2021. </span><span>During his career, Levente was a Research Fellow at the High-Speed Networks Laboratory (HSN Lab), Budapest University of Technology and Economics (BME), where he received his MSc and PhD degrees in 2010 and 2015, respectively. Furthermore, Levente has also been a postdoctoral research associate at INTRIG, University of Campinas (Brazil, 2018), and the School of Computing Science, University of Glasgow (the UK, 2017). </span><span>His primary interest in many aspects of Software-Defined Networking </span><span>(SDN) and Network Function Virtualization (NFV) has recently switched to the next-generation networks' security and privacy facets.</span></div>
-
Hoon Wei Lim
- Director, Cybersecurity R&D, NCS Group
Hoon Wei Lim is currently the Director, Cybersecurity R&D, for NCS Group. He is responsible for driving in-house R&D initiatives and academia-industry research collaboration. He has 20 years of R&D experience in cyber security, including both academic and industrial, focusing on practical problems arising from real-world requirements and industry needs. Particularly, he is interested in protection of data security and privacy, automation of threat detection, securing AI systems, and quantum-resistant security. In the past, Hoon Wei had held research positions with A*Star, NUS, NTU, and SAP Labs France. He received his PhD degree in Information Security from the Royal Holloway, University of London, U.K.
-
Jun Wen Wong
- Researcher, DSBJ Pte. Ltd.
Jun Wen Wong is a Researcher at DSBJ Pte. Ltd.
-
Soundarya Ramesh
- PhD Student, National University of Singapore
Soundarya Ramesh is a PHD Student at National University of Singapore.
-
Rohini Poolat Parameswarath
- Researcher, National University of Singapore
Rohini Poolat Parameswarath is a Researcher at National University of Singapore.
-
Chan Mun Choon
- Professor, National University of Singapore
Professor Chan Mun Choon graduated with a BS in Computer and Electrical Engineering from Purdue University and PhD from Columbia University. He was a Member of Technical Staff in the Networking Research Laboratory, Bell Labs, and Lucent Technologies before joining NUS. He is currently a Professor in the Department of Computer Science, School of Computing. He is a member of the Communication and Internet Research Lab.
Links:
Similar Presentations: