Relay Attack Resistant Passive Keyless Entry Securing PKE Systems with Immobility Detection
Total Page:16
File Type:pdf, Size:1020Kb
DEGREE PROJECT IN MECHANICAL ENGINEERING, FIRST CYCLE, 15 CREDITS STOCKHOLM, SWEDEN 2020 Relay Attack Resistant Passive Keyless Entry Securing PKE Systems with Immobility Detection ABEL VALKO KTH ROYAL INSTITUTE OF TECHNOLOGY SCHOOL OF INDUSTRIAL ENGINEERING AND MANAGEMENT Relay Attack Resistant Passive Keyless Entry ABEL VALKO Bachelor’s Thesis at ITM Supervisor and Examiner: Nihad Subasic TRITA-ITM-EX 2020:48 Abstract A significant security risk of modern vehicles is their vulner- ability to relay attacks, due to challenge-response methods, such as those employed in Passive Keyless Entry (PKE) used by most commercial cars, being inherently exposed. This class of attacks are where communication between a vehicle and its key is relayed by an attacker over long range - thereby bypassing any encryption and unlocking the ve- hicle without requiring direct access to the key. While a multitude of defenses have been proposed in recent years, many lack either robustness or practicality. Any viable sys- tem will likely have to rely on an environmental parameter which is not easily manipulated. Moreover, the system has to be: cost effective; easily implementable; and take user comfort, such as the key’s battery life, into account. This thesis implements and evaluates a PKE system re- sistant to relay attacks, analyses a multitude of proposed strategies in literature for feasibility, as well as suggests a novel method: Approach Curve Matching. It is concluded that the most promising strategies are: Immobility Detec- tion, Distance Bounding Protocols, and Approach Curve Matching - the first of which is chosen to be implemented in the prototype PKE system. The project develops a PKE system and implements the communication protocol using Bluetooth, as opposed to the conventional RFID. Immobility Detection, using an ac- celerometer, is then implemented. The final system is then tested and evaluated. It is concluded that while Immobil- ity Detection is not comprehensively effective, it is easily implementable, cost-effective, and can greatly increase the security of PKE systems. Finally, it is proposed that Immo- bility Detection should be employed promptly by manufac- turers while investigating potentially more effective, albeit uncertain, strategies. Keywords: Passive Keyless Entry, Relay Attack, Mafia Fraud, Access Control, Mechatronics Referat En betydande s¨akerhetsbrist av moderna fordon ¨ar deras s˚arbarhetmot s˚akallade ’relay attacker’. Dessa typer av attacker, d¨ar signaler mellan bilen och nyckeln vidarebe- fordras, kringg˚arall kryptering och l˚aserupp bilen utan att ha direkt tillg˚angtill nyckeln. En stor del av kommersiella fordon till¨ampar ’Passive Keyless Entry’ (PKE) som byg- ger p˚a’challenge-response’ metoder som visats vara s¨arkilt utsatta f¨or dessa attacker. En m¨angd olika skyddssystem har f¨oreslagits p˚ase- nare ˚ar,men m˚angasaknar erforderlig robusthet eller ge- nom¨orbarhet. Ett l¨ampligt system b¨or uppfylla en rad olika kriterier. Strategin m˚astegrundas p˚aen omgivningspara- meter som ¨ar b˚adeof¨or¨anderlig och tillr¨ackligt rymdbero- ende att tv˚an¨ara positoner kan skiljas ˚at.Dessutom ska systemet vara kostnadseffektivt, implementerbart, och ta h¨ansyn till anv¨andarkomfort s˚asombatteritid. Projektets huvudsyfte ¨ar konstruktionen och analysen av ett ’relay attack’ resistent PKE system. I detta projekt ing˚arocks˚aen analys av ett antal f¨oreslagna f¨orsvar och ett f¨orslag om en ny metod: ’Approach Curve Matching’. Slut- satsen dras att de mest lovande taktikerna ¨ar: analys av Jac- card indexet av Wi-Fi hotspots, ’Distance Bounding Pro- tocols’, ’Approach Curve Matching’ och ’Immobility Detec- tion’ som ocks˚aimplementeras i prototyp PKE systemet. Projektet utvecklar f¨orst ett PKE system med tv˚aRasp- berry Pis som agerar som bilens och nyckelns mikrodatorer och implementerar kommunikationsprotokollet med hj¨alp av Bluetooth. ’Immobility Detection’ ¨ar sedan implemen- terad genom en inbyggd accelerometer i nyckeln. Slutligen testas och utv¨arderas systemet. Det konkluderas att trots att ’Immobility Detection’s effektivitet inte ¨ar helt omfat- tande ¨ar den l¨att att implementera, kostnadseffektiv, och kan bidra till en betydlig ¨okning av s¨akerheten hos PKE system. Vidare observerade projektet att Bluetooths ’Re- ceived Signal Strength Indicator’ (RSSI) m¨atningar ¨ar ut- satta f¨or avsev¨ard ostadighet och ¨ar allm¨ant omgivningsbe- roende. D¨arf¨or anses Bluetooth RSSI inte l¨amplig f¨or PKE till¨ampningar ¨aven om andra metoder f¨or avst˚ansm¨atning med Bluetooth kan ha h¨ogre prestanda. Det f¨oresl˚asatt ’Immobility Detection’ till¨ampas av tillverkare omg˚aende medans andra potentiellt mer effektiva strategier utreds. Keywords: Nyckell¨osa System, Atkomstkontroll,˚ Relay Attack, IT-s¨akerhet, Mekatronik Acknowledgements Thanks are owed to the team of course assistants who have helped during the course of this project and my peers for their opposition and discussion on the thesis. I would also like to extend my gratitude to Andras Valko, Balazs Valko, and Janos Valko for fruitful discussions and brainstorming, and for providing invaluable support throughout the thesis. Abel Valko May 2020 Contents 1 Introduction 1 1.1 Purpose . 2 1.2 Scope . 2 1.3 Method . 3 2 Background 5 2.1 Passive Keyless Entry . 5 2.1.1 Overview . 5 2.1.2 Encryption . 7 2.2 Relay Attack . 8 2.2.1 Overview . 8 2.2.2 Limitations . 9 2.2.3 Threat . 10 2.3 Key Fob Design . 10 2.3.1 Battery . 10 2.3.2 Wireless Technology . 10 3 Proposed Defenses 13 3.1 Received Signal Strength Indicator . 13 3.2 Coordinate Tracing . 13 3.3 GPS . 14 3.4 Jaccard Similarity of Wi-Fi Access Points . 15 3.5 Distance Bounding . 16 3.6 Immobility Detection . 17 3.7 Approach Curve Matching . 17 4 Implementation 21 4.1 Hardware . 21 4.1.1 Microcomputer . 21 4.1.2 Bluetooth Module . 21 4.1.3 Accelerometer . 22 4.1.4 Locking and Servo Motor . 22 4.2 Software . 23 4.2.1 Logic . 24 4.2.2 Authentication Protocol . 24 4.2.3 Software Architecture . 25 4.2.4 Encryption . 26 4.3 Results . 26 5 Discussion 29 6 Conclusion 31 Bibliography 33 Appendices 37 A ZOE-M8B GPS Module Data-sheet (excerpt) . 37 B Power Consumption Measurements for WF(M)200 Wi-Fi Module (excerpt) . 45 C AIS2DW12 Accelerometer Data-sheet (excerpt) . 50 D CAD Model of Demonstrative Locking Mechanism . 53 E Python Code for the Designed PKE System - Key . 55 F Python Code for the Designed PKE System - Vehicle . 68 G Test Cases . 77 List of Figures 2.1 Protocol diagram of typical PKE system. 6 2.2 Inner and outer RFID zones. 7 2.3 Agent entering between the car and key fob communication. 8 2.4 Protocol diagram of relay attack on PKE System. 9 2.5 RFID beacons placed around the car interior and exterior. 11 4.1 Connection diagram for the MPU6050 accelerometer to Raspberry Pi Zero. 22 4.2 Activity diagram of the unlocking process for the improved PKE system with Immobility Detection. 23 4.3 Sequence diagram of a successful unlocking sequence. 25 4.4 Prototype setup of the implemented PKE system with the key fob and accelerometer (left) and on-board computer and lock (right). 26 List of Abbreviations BLE Bluetooth Low Energy DTW Dynamic Time Warping GPIO General Purpose Input/Output GPS Global Positioning System LF Low Frequency PKE Passive Keyless Entry PKES Passive Keyless Entry and Start PWM Pulse Width Modulation RF Radio Frequency RFID Radio-Frequency Identification RKS Remote Keyless System RSSI Received Signal Strength Indicator SARA Signal Amplification Relay Attack SMBus System Management Bus UHF Ultra High Frequency Chapter 1 Introduction In Sweden alone there are near five million registered, in use, personal vehicles [1]. Approximately one vehicle for every two individuals [2]. The rapidly increasing connectivity of these vehicles and the shift from mechanical to electronic and wireless systems gives rise to new security vulnerabilities. Modern methods of car theft are a prime example of newly digitalized exploits owing to the spread of digital lock systems. The Remote Keyless System (RKS) has all but replaced the previous mechanical lock mechanism in cars with its Passive Keyless Entry (PKE) variant becoming standard in most high-end brands instead of its active counterpart. The traditional active RKS is a unidirectional system where the user unlocks the vehicle with a remote control, a.k.a. ’key fob’. The PKE System, explained in detail in Section 2.1, unlocks the car automatically as the user approaches the vehicle with the key fob - without the need for any interaction with the user interface. It employs bidirectional communication where the car sends a wake-up signal to the key when it is within range (commonly under 1 meter) and the driver takes hold of the handle, proceeded by a challenge response from the key which, if correct, will unlock the vehicle. A similar check may be performed in order to start the vehicle [3, 4]. This system increases user comfort due to the eliminated interaction and with the encryption algorithm and challenge-response technique that is employed in most recent implementations, explained in Section 2.1, assures high resistance to many methods of attacks. However, it is not secure against relay attacks - also known as Mafia Fraud - and Signal Amplification Relay Attack (SARA) which are attacks that do not require decryption and are not affected by the encryption algorithm’s complexity, nor can they be eliminated using alternative protocols [4, 5]. A review by G¨ulsever of Upstream’s, a cyber security company’s, repository consisting of security incidents relating to the automotive industry show 187 exploits related to connected cars with 25 unique attack vectors (paths that allow an attacker to gain access to a system) identified [6]. RKS vulnerabilities accounted for the largest number of them as well as having the largest ratio of ’black hat’ (malicious as opposed to ’white hat’ - research) attacks.