Dismantling DST80-based Immobiliser Systems

Research output: Contribution to journalArticle

Authors

  • Lennart Wouters
  • Benedikt Gierlichs
  • Bart Preneel

Colleges, School and Institutes

External organisations

  • KU Leuven

Abstract

Car manufacturers deploy vehicle immobiliser systems in order to prevent car theft. However, in many cases the underlying cryptographic primitives used to authenticate a transponder are proprietary in nature and thus not open to public scrutiny. In this paper we publish the proprietary Texas Instruments DST80 cipher used in immobilisers of several manufacturers. Additionally, we expose serious flaws in immobiliser systems of major car manufacturers such as Toyota, Kia, Hyundai and Tesla. Specifically, by voltage glitching the firmware protection mechanisms of the microcontroller, we extracted the firmware from several immobiliser ECUs and reverse engineered the key diversification schemes employed within. We discovered that Kia and Hyundai immobiliser keys have only three bytes of entropy and that Toyota only relies on publicly readable information such as the transponder serial number and three constants to generate cryptographic keys. Furthermore, we present several practical attacks which can lead to recovering the full 80-bit cryptographic key in a matter of seconds or permanently disabling the transponder. Finally, even without key management or configuration issues, we demonstrate how an attacker can recover the cryptographic key using a profiled side-channel attack. We target the key loading procedure and investigate the practical applicability in the context of portability. Our work once again highlights the issues automotive vendors face in implementing cryptography securely.

Details

Original languageEnglish
Pages (from-to)99-127
JournalIACR Transactions on Cryptographic Hardware and Embedded Systems
Volume2020
Issue number2
Publication statusAccepted/In press - 15 Dec 2019

Keywords

  • Vehicle immobilisers, Digital Signature Transponder, DST80, key diversification, side-channel attacks