When reverse-engineering meets side-channel analysis - Digital lockpicking in practice

David Oswald*, Daehyun Strobel, Falk Schellenberg, Timo Kasper, Christof Paar

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

6 Citations (Scopus)


In the past years, various electronic access control systems have been found to be insecure. In consequence, attacks have emerged that permit unauthorized access to secured objects. One of the few remaining, allegedly secure digital locking systems-the system 3060 manufactured and marketed by SimonsVoss-is employed in numerous objects worldwide. Following the trend to analyze the susceptibility of real-world products towards implementation attacks, we illustrate our approach to understand the unknown embedded system and its components. Detailed investigations are performed in a step-by-step process, including the analysis of the communication between transponder and lock, reverse-engineering of the hardware, bypassing the read-out protection of a microcontroller, and reverse-engineering the extracted program code. Piecing all parts together, the security mechanisms of the system can be completely circumvented by means of implementation attacks. We present an EM side-channel attack for extracting the secret system key from a door lock. This ultimately gives access to all doors of an entire installation. Our technique targets a proprietary function (used in combination with a DES for key derivation), probably originally implemented as an obscurity-based countermeasure to prevent attacks.

Original languageEnglish
Title of host publicationSelected Areas in Cryptography - SAC 2013
Subtitle of host publication20th International Conference, Burnaby, BC, Canada, August 14-16, 2013, Revised Selected Papers
EditorsTanja Lange, Kristin Lauter, Petr Lisoněk
Number of pages18
Volume8282 LNCS
ISBN (Electronic) 9783662434147
ISBN (Print)9783662434130
Publication statusPublished - 14 Aug 2014
Event20th International Conference on Selected Areas in Cryptography, SAC 2013 - Burnaby, BC, Canada
Duration: 14 Aug 201316 Aug 2013

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume8282 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349


Conference20th International Conference on Selected Areas in Cryptography, SAC 2013
CityBurnaby, BC


  • Access control
  • Digital lock
  • EM side-channel attack
  • Obscurity
  • Symmetric key cryptosystem
  • Wireless door openers

ASJC Scopus subject areas

  • Computer Science(all)
  • Theoretical Computer Science


Dive into the research topics of 'When reverse-engineering meets side-channel analysis - Digital lockpicking in practice'. Together they form a unique fingerprint.

Cite this