A Protocol for a Secure Remote Keyless Entry System Applicable in Vehicles using Symmetric-Key Cryptography
AA Protocol for a Secure Remote Keyless EntrySystem Applicable in Vehicles usingSymmetric-Key Cryptography
Tobias Glocker
University of VaasaEmail: tglo@uva.fi
Timo Mantere
University of VaasaEmail: timan@uva.fi
Mohammed Elmusrati
University of VaasaEmail: moel@uva.fi
Abstract —In our modern society comfort became a standard.This comfort, especially in cars can only be achieved by equippingthe car with more electronic devices. Some of the electronicdevices must cooperate with each other and thus they require acommunication channel, which can be wired or wireless. In thesedays, it would be hard to sell a new car operating with traditionalkeys. Almost all modern cars can be locked or unlocked with aRemote Keyless System. A Remote Keyless System consists of akey fob that communicates wirelessly with the car transceiverthat is responsible for locking and unlocking the car. Howeverthere are several threats for wireless communication channels.This paper describes the possible attacks against a RemoteKeyless System and introduces a secure protocol as well asa lightweight Symmetric Encryption Algorithm for a RemoteKeyless Entry System applicable in vehicles.
I. I
NTRODUCTION
A Remote Keyless Entry System consists of a key foband a car transceiver that is responsible for locking andunlocking the car. Instead of locking or unlocking the carwith a traditional key the user presses a button on the key fobto lock or unlock the car. Unfortunately the keyless cars are”increasingly targeted by thieves” [1]. Criminals steal vehicles”through the re-programming of remote-entry keys”. Thus,some insurance companies have denied the insurance for thisissue. In addition a Remote Keyless System is vulnerableagainst a Scan Attack, Playback Attack, Two-Thief Attack,Challenge Forward Prediction Attack and a Dictionary Attack.Another threat for Remote Keyless Entry Systems are On-Board-Diagnose (OBD) key programmers.A Scan Attack is critical for systems which use the rollingcode technique [2]. It can be performed against such systemsby sending different codes to the car transceiver as long asthe sent code matches with the code of the car transceiver.This type of the attack is the simplest one. How long it takesto unlock the car with this attack ”depends on the number ofbits in the random challenge, the random challenge-generationmethod, and the number of trials conducted by the intruder”[3].Another possible attack against Remote Keyless Entry Sys-tems is the so called Playback Attack [3]. Here, an intruderhas a device which is capable of recording messages sentwirelessly. Later on, when the car driver is away, the intruder can send the recorded messages to the car transceiver to unlockthe car.The Two-Thief Attack [3] is the most known attack. In apassive Keyless Entry System one thief stands next to the carwhile the other one stands next to the car owner. Assumethat the car owner is hundred meters away from the car. Boththieves use devices to amplify signals. The thief standingnext to the car pulls the door handle. By pulling the doorhandle, the car transceiver sends an interrogation message tothe Customer-Identification Device (CID) [4] which is like akey fob or a credit card, kept in the car owner’s pocket. Sincethe CID is outside the transmission range, the amplifier of thethief standing next to the car amplifies the signal so that it canbe received by the amplifier of the thief that stands next to thecar owner. From there it will be forwarded to the CID. TheCID responds with a valid code which will be transmitted tothe car transceiver over the amplifier devices of the thieves.In the Challenge Forward Prediction Attack the intruder hasa device that records several interrogation messages that aresent from the car transceiver when the door handle is pulled.Based on the recorded interrogation messages the intruder triesto predict the next one. Then the intruder can go to the carowner and send the predicted interrogation message to the CIDlocated in the car owner’s pocket. The CID responds witha message which will be recorded. Afterwards, the intrudergoes back to the car, pulls the door handle and plays back therecorded message from the CID.Cars can also get unlocked with copied car keys. Thereare OBD key programmers that can be used to copy carkeys [5]. Assume that a thief goes to a car shop and asksfor a test drive. During the test drive the thief stops, plugsthe key programming device in the OBD and copies all keyinformation to a non-programmed key fob. After the test drivethe thief returns the car with the original car key. In the nightthe thief goes again to the car shop and steals the car with thecopied key fob.A further threat are jammers [6]. Jammers are devices thatemit signals in the same frequency range as key fobs to createa strong interference that blocks the communication betweenkey fob and car transceiver. When the driver leaves the car andpresses the lock button on the key fob, the car will not lockif there is an active jammer in the range of 30m. Although, in a r X i v : . [ c s . I T ] D ec ost of the cars the indicators blink two times after the carhas been locked, some people do not pay any attention to it.After the driver has left the parking yard, the thief can openthe unlocked car and steal it by accessing the OBD interface.II. F UNCTIONALITY OF THE PROPOSED P ROTOCOL FOR A S ECURE R EMOTE K EYLESS E NTRY S YSTEM
To implement this Lightweight Symmetric Algorithm fora Remote Keyless Entry System the following requirementsmust be fulfilled. First it is important that the microcontrollerused in the key fob and in the board computer has an ElectricalErasable Programmable Read-Only Memory (EEPROM) with4kB to store 2000 numbers with the size of 2 Bytes. Further-more a strong Random Number Generator should be used toavoid the prediction of random numbers. Another importantissue is the power consumption of the microcontroller and theRadio Frequency (RF) unit inside the key fob because theyare battery-operated.
Fig. 1. Proposed Key Fob with Main Components.
The car must also have a board computer, equipped witha car transceiver, for generating random numbers and forsending them to the key fob. In addition the board computerand the car transceiver must be connected to an accuratecurrent measurement, capable of detecting fluctuations fromone millisecond to another, in order to generate randomnumbers. Furthermore, the key fob should also be able to gen-erate random numbers. It is important that Random NumberGenerators (RNGs) are used but not Pseudo Random NumberGenerators (PRNGs) [7]. PRNGs generate random numberswhose sequence will be repeated after some time while forRNGs, the probability of repeated random number sequencesis vanishingly small. It is to mention that the proposed keyfob contains a button for locking the door, unlocking the door,opening the boot and a programming interface (see Fig. 1). Inthe central console there must be two interfaces through thatthe key fobs can communicate with the board computer. Atcertain time intervals the driver of the car will be informedto update the key fobs. During the updating process the board computer will generate new random numbers and write themto the memory of the key fobs and the car transceiver. Theupdating process works only, if both key fobs are connectedto the board computer.When the car is delivered, the buyer gets two key fobs. Theboard computer as well as the key fobs are pre-programmed.
Fig. 2. Memory Layout of the Key Fob and the Car Transceiver.
Fig. 2 represents the memory layout of the key fob and thecar transceiver. The size of the EEPROM is 4kB to store 2000numbers in the range between 0 and 65535. The car key IDis stored in a Read-Only Memory (ROM). It is a unique IDthat is assigned to each car.In Fig. 3 a successful transaction for sending an instructioncommand from the key fob to the car transceiver is illustrated.When the driver presses a button on the key fob, the key fobsends an encrypted car key ID to the car transceiver. There,the received car key ID will be compared with the one storedin the memory of the car transceiver. If the comparison wassuccessful, the car transceiver generates ten random numbersin the range between 0 and 1999. These ten random numbersare sent to the key fob. The first five random numbers are usedas indices for the memory locations containing the numbersused to build a key, while the last five random numbers areused as indices of the memory locations whose values areneeded for the encryption (see Fig. 5). The first five numbersof the requested memory locations are sent encrypted andappended to the car transceiver. When the car transceiverreceives the so called authentication message then it reads therequested memory locations from its own memory, encryptsand appends them to build its own authentication message.Then it compares the own authentication message with thereceived one.If the comparison was successful, the car transceiver sendsan authentication ”OK” message to the key fob. After receivingthe authentication ”OK” message, the key fob sends the in-struction command to the car transceiver which then processesthe requested instruction (lock/unlock car or open boot).A successful transaction between car transceiver and key fobfor starting the car is shown in Fig. 4. When the driver pressesthe start button it will send a request to the key fob to replywith the car key ID stored in the memory of the key fob. Thekey fob reads the car key ID, generates ten random numbersin the range between 0 and 1999 and sends the car key IDtogether with the ten generated random numbers to the cartransceiver. After receiving the car key ID, the car transceiver ig. 3. Successful Transaction for sending an instruction command from KeyFob to car transceiver. checks if the received car key ID matches with the own one. Ifthe comparison was successful, then the car transceiver builds,based on the received random numbers, the authenticationmessage. Furthermore, it generates ten random numbers in therange between 0 and 1999 before sending the authenticationmessage together with the ten generated random numbers tothe key fob. After receiving the authentication message, thekey fob builds its own authentication message and comparesit with the received one. If the comparison was successful, thekey fob will build the authentication message based on therandom numbers received from the car transceiver and sendsit to the car transceiver. The car transceiver builds its ownauthentication message and compares it with the received one.In case both authentication messages match, the start commandwill be processed. It is to mention, that the authenticationprocess (A) is necessary to avoid that an attacker emulates acar transceiver in order to get access to the memory locationsof the key fob.The numbers that have been read from the requested mem-ory locations can be encrypted using the proposed LightweightEncryption Algorithm (see Fig. 5) that works in the followingway. First the number of the sixth requested memory locationis added to the number of the first requested memory location.Then the number of the seventh requested memory location isadded to the number of the second requested memory location.This continues until the number of the tenth requested memorylocation is added to the number of the fifth requested memorylocation. This kind of encryption has the advantage that itneeds less computation power and it is easy to implement.Fig. 6 illustrates the key exchange between the car transceiver
Fig. 4. Successful Transaction between car transceiver and Key Fob forstarting the car.Fig. 5. The proposed Lightweight Encryption Algorithm. and the two key fobs. As mentioned before the keys must beupdated at certain time intervals.To exchange the keys (random numbers), both key fobs mustbe connected to the hardware interfaces in the central console.After entering the password of the board computer, the key fobprogramming button becomes visible. By pressing the key fobprogramming button, the board computer will send a car keyID request to both car keys. If both car key IDs match, then theoard computer generates 2000 random numbers and transmitsthem to both key fobs where they are stored in the EEPROMmemory. If the random numbers have been successfully savedin both key fob memories then the board computer writes therandom numbers to its own EEPROM memory.
Fig. 6. Successful Transaction between car transceiver and Key Fob forexchanging random numbers.
In the previous described transactions between car transcei-ver and key fob(s) it was always assumed that all the steps inthe transaction went fine. However some steps can fail. It canhappen that the car key ID does not match, the comparisonof the received encrypted message fails or a memory problemoccurs when updating the key fobs with new keys (randomnumbers). These problems can be handled in the followingway. If a wrong car key ID is received many times within ashort time interval, it can be ignored because on a big parkingyard there might be many cars which are opened and closed.However, when receiving a wrong encrypted authenticationmessage from a key fob many times within a short timeinterval, then the risk of an Intrusion Attack is very highbecause this step is only reached when the right car key IDwas sent. In this case the system could be put in a blockedstate after receiving three wrong authentication messages forthree minutes, before it reacts to new key fob commands.The memory problem that can occur when updating the keyfobs with new keys (random numbers) can be solved in thefollowing way. If a writing process of the keys to one of thekey fobs fails then it should be repeated. In case it still fails,then the writing process should be stopped but only if the other key fob has not been programmed yet. Otherwise, thealready programmed key fob must be re-programmed with theold keys.
Fig. 7. A proposed security mechanism against jamming.
In section one, the operation of a jammer has been intro-duced. Fig. 7 represents the flow chart of the proposed securitymechanism against jamming. After the motor is switched offthe board computer will check if a door has been openedand closed. In case a door was opened and closed the boardcomputer will check if a ping reply or a lock command hasbeen received. If no ping reply or lock command has beeneceived within ten seconds then the car will honk five timesand the driver has ten seconds time before the car gets lockedautomatically. This prevents the car of being unlocked after aJamming Attack.III. C
OMPARISON BETWEEN DIFFERENT A UTHENTICATION T ECHNIQUES APPLIED IN K EY F OBS
For Remote Keyless Entry Systems there are three authen-tication techniques that are mainly used [3].One technique is called Fixed Code Technique. A device,using this technique has a fixed pre-programmed code. When-ever an event is triggered, the device sends its fixed code tothe receiver.Another technique used for the authentication of RemoteKeyless Entry Systems is the Rolling Code Technique. Inthis technique both, the transmitter (key fob) and the receiver(car) maintain a sequence counter. If a button is pressed,then the content of the sequence counter is sent encryptedto the receiver. There, the received encrypted value of thesender’s sequence counter is decrypted and compared withthe receiver’s own sequence counter. If the difference betweenthe values of both sequence counters is in a certain range, thereceived code is valid. It is to mention, that a shared secretkey is used for the encryption and decryption.The Challenge-Response Technique is a widely used tech-nique. A secret key is shared between two transceivers. In casethe driver pulls the door handle, the car transceiver transmitsa random number, the so called random challenge, to the CID.There the received random challenge is going to be encryptedbefore it is sent back to the car transceiver. In the meanwhilethe car transceiver has also encrypted the random challengesent to the CID and compares it with the received one. If theymatch a certain operation is performed.According to [3], the previous mentioned authenticationtechniques are vulnerable against different types of attackssuch as Scan Attack, Playback Attack and Forward PredictionAttack. Table I shows the level of success of each attack typeagainst the mentioned authentication techniques and againstour propsed protocol. The levels are easy (0), difficult (1),very difficult (2) and extremely difficult (3).
TABLE IL
EVEL OF DIFFERENT A TTACKS VS . A
UTHENTICATION T ECHNIQUES
FixedCode RollingCode ChallengeResponse OurproposedProtocolScan Attack
Playback Attack
Fwd. Pred. Attack
IV. B
ENEFITS AND D RAWBACKS OF THE PROPOSED P ROTOCOL
The introduced protocol has several advantages amongcommon protocols used in Secure Remote Keyless EntrySystems. One advantage is the easy implementation of the in-troduced protocol and of the lightweight encryption algorithm. In addition the lightweight encryption algorithm requires lesscomputation power and thus it is energy efficient. The authenti-cation response message is built from three randomly selecteddecimal numbers each in the range between 0 and 65535. Thismeans that the message length can be up to 80 bits long. Thusit is almost impossible to guess the requested authenticationresponse message. Since the authentication response messagechanges for every request, the probability of guessing the rightauthentication response message is . Another big advantageis that if someone borrows the car to make a test drive withthe purpose of cloning a car key, the person might not be ableto steal the car in the night from the salesman’s yard, if thesalesman has re-programmed the key fobs after the test drive.In the proposed Remote Keyless Entry System, the driverhas to press a button on the key fob to open or lock the car.This prevents the system from a Two-Thief Attack. Further-more, with the proposed system it is almost impossible tobecome a victim of a Scan, Playback or a Challenge ForwardPrediction Attack, since the authentication message consists ofencrypted decimal numbers from randomly selected memorylocations.For a successful Scan Attack, the 32 bit car key ID, thealways changing 80 bit authentication message and the timingmust be correct before sending the instruction command tounlock the car. Hence, it is extremely difficult to attack theproposed protocol with a Scan Attack.For a successful Playback Attack, the attacker must hopethat the recorded sequences of ten random numbers, used toaccess the values of ten memory locations in order to buildthe authentication message, will occur again. Since RNGs areused, the probability of repeated random number sequencesis very small and thus it is extremely difficult to attack theproposed protocol with a Playback Attack.Attacking the proposed protocol with a Forward PredictionAttack is extremely difficult because the authentication mes-sage is built from the values of ten randomly selected memorylocations. The indices of that memory locations are generatedwith a RNG and thus it is almost impossible to predict thesequence of the generated random numbers.One drawback of the proposed protocol is, that the owner isresponsible for updating the key fobs with new keys (randomnumbers). When the board computer displays a request forupdating the key fobs then the owner has to plug both key fobsinto the interfaces located at the central console, so that theycan be programmed with the new keys. How often new keysshould be written to the key fobs depends on how often thekey fob(s) is/are used or at latest after a certain time interval.V. C ONCLUSION
In this paper we have introduced a Protocol for a SecureRemote Keyless Entry System applicable in Vehicles. Forthe encryption, symmetric cryptography is used. The systemconsists of a car transceiver and a key fob with programminginterface. To process a command like unlock the car, thetransceiver first requests the key fob to authenticate. Thisauthentication is done by requesting the key fob to sendn authentication message that is built from the content often randomly selected memory locations. The car transceiverbuilds its own authentication message and compares it withthe received one. It is assumed that key fob as well as thecar transceiver have an EEPROM where the shared keys arestored. To synchronize the content of the EEPROM of keyfob and car transceiver, the programming interface is used. Inthis paper we have also compared our proposed protocol withexisting authentication techniques applied in key fobs. We canconclude that the probability of hacking our proposed protocolwith a Scan Attack, Playback Attack, Forward Prediction At-tack or a Two-Thief Attack is extremely difficult. Furthermore,due to the lightweight encryption algorithm the processors inthe car transceiver and in the key fobs need less computationpower and thus the system becomes more energy efficient.More optimization techniques and mathematical proofs are leftfor the future work. R (cid:13)
IEEE. doi:10.1109/ICICS.2009.5397727[3] A. I. Alrabady and S. M. Mahmud, ”Analysis of Attacks Against theSecurity of Keyless-Entry Systems for Vehicles and Suggestions forImproved Designs.”
IEEE Trans. Veh. Technol.