Researchers from Ruhr University Bochum, Germany, have cracked the security on keyless entry systems based on KeeLoq RFID technology. The announcement was made Monday, and follows a recent trend in research on RFID. The research will allow anyone to access the KeeLog based devices from a distance of three hundred feet without a trace.
The research applies to all known car and building access control systems that rely on the KeeLoq cipher. The Communication Security Group in the Electrical Engineering and Information Sciences Department, at Ruhr University, targeted and ultimately cracked the KeyLoq RFID as part of their research in embedded security. “The security hole allows illegitimate parties to access buildings and cars after remote eavesdropping from a distance of up to 100 meters,” says Prof. Christof Paar.
A KeeLoq system consists of an active Radio Frequency Identification (RFID) transponders and a receiver. Both the receiver and transponder use KeeLoq as encryption method for securing the over-the-air communication. The research and attack method is based on DPA (Differential Power Analysis) on several KeeLoq based devices. These so-called side-channel attacks are based on measuring and evaluating the power consumption of a KeeLoq device during its operation. Based on the research, an attacker can reveal the secret key for the remote control in less than one hour, and the manufacturer key of the corresponding receivers in less than one day.
Prof. Paar’s team used various code breaking technologies to develop several attack variables. The researchers said that the most devastating attack developed included, car keys (or building keys) which can be cloned from a distance of several 100 meters.
“Eavesdropping on as little as two messages enables illegitimate parties to duplicate your key and to open your garage or unlock your car,” says Prof. Paar. With another malicious attack, a garage door or a car door can be remotely manipulated so that legitimate keys do not work any more. Thus, after the security of the building or car has been breached, the attacker can prevent you from future access.
This is not the first time KeeLoq has been targeted. In 2007, joint work between three research groups, the computer science department of the Technion, Israel, the research group COSIC of the Katholieke Universiteit Leuven, Belgium, and the math department of the Hebrew University, Israel discovered a different attack against the KeyLoq system.
Using the details of the KeeLoq algorithm that was leaked in 2006, the researchers started hunting for weaknesses. "In our research we have found a method to identify the key in less than a day. The attack requires access for about 1 hour to the remote control (for example, while it is stored in your pocket). Once we have found the key, we can deactivate the alarm and drive away with your car," they reported.
KeeLoq has been used for access control since the mid-1990s. By some estimates, it is the most popular of such systems in Europe and the US. Besides the frequent use of KeeLoq for garage door openers and other building access applications, it is also known that several automotive manufacturers like Chrysler, Daewoo, Fiat, GM, Honda, Toyota, Volvo, VW, Clifford, Shurlok, Jaguar, and Lexus (Toyota) base their anti-theft protection on assumed secure devices featuring KeeLoq.
"Microchip recognizes that the highly talented researchers have been successful at a theoretical attack of a block cipher. However, the KEELOQ security system implementation involves much more than just the cryptographic algorithm. The researchers’ claims that vehicles can be stolen, based on their cryptographic findings related to the KEELOQ algorithm, are incorrect due to several mistaken assumptions. Microchip does not believe a public debate on how to steal vehicles benefits consumer security. In addition, for reasons of customer confidentially, Microchip cannot disclose specific information regarding the errors in the claims being made," Microchip, the company who created KeeLoq, said in a statement made after the 2007 discovery.
They have made no comment on this recent research.