Embed Size (px)
Citation preview
Security of car keys Andrej Šimko
25.04.2014
1. Introduction
From the beginnings, the first use of cryptography in automobiles has been in immobilizer chips based on RFID technology. This has been going around for over two decades now, and many countries have enforced mandatory usage of immobilizers in car (in Germany this was done from 01.01.1998, or in Canada from 01.09.2007 [3]). I will at first introduce brief history of car keys themselves, followed by introducing the concept of RFID, go through describing various types of car keys and elaborating how they operate, give example about successful attacks and propose counter measures against them. In last chapter (conclusion) I will elaborate on how cars are actually stolen nowadays.
2. History of car keys
During long period in history, there was no such thing as keys in cars. According to Popular Science article [1], the key itself was introduced to cars by Chrysler Corporation in 1949 as ignition-key for starting automobiles. This feature combined previously 2 separate buttons (as can be seen on picture) – starter and ignition into one switch. This new absence of buttons was also done to prevent children from accidentally starting and moving car if it was left in gear [2].
3. Introduction to RFID
Radio-Frequency IDentification is wireless technology used for data transfer by using radio antennas. It has become more popular and controversial over the last years. Main concern that is connected with using this technology is the potential ability to track consumers without their knowledge of consent. In 2003, clothing designer Benetton planned to “weave radio frequency ID chips into its garments to track its clothes worldwide” [4]. These particular RFID tags created by Royal Philips Electronics in quantity of 15 million RFID chips could be scanned from 5 feet away (unlike bar code scanners which have to be held directly to scan anything), and thanks to their size of grain of sand [4], they can be undetectable by consumers themselves.
However, RFID itself was first developed during Second World War to address and serve security issues. After being created to Friend or Foe identification systems onboard military aircrafts, first anti-theft systems were commercialized in 1960s (thanks to research by Harry Stockman of system completely energized by reflected power) [5].
In the cars, RFID can be found on many places – starting from making individual parts of vehicle in the factories, shipping and putting them together, through locking and unlocking doors, enabling and disabling the alarm system, opening the trunk, starting the vehicle, collecting wirelessly information from sensors, communicating with other vehicles on road, or paying for gas or road tolls.
4. Types of car keys
4.1. Classic metallic keys
These keys were used from 1949, and were firstly introduced by Chrystler Corporation. Cars with this security system could still be easily hard-wired and stolen, since there was no other security mechanism present. Metallic keys could also be easily duplicated.
4.2. Metallic keys with immobilizer
To start a car with this security mechanism in use, 2 components are necessary. First one is the metallic key itself that needs to be inserted into the ignition. Second and more important one is hidden in the plastic end of the key - so called “immobilizer” (embedded RFID transponder). This wireless component (operating in LF band between 120-135 kHz) needs to be able to communicate with the steering column (and through it with ECU – Engine Controller Unit). Immobilizer is a passive component device (it does not have its own power source, but rather uses electromagnetic induction from interrogation signal transmitted by the reader) that authenticates itself to the steering column and enables the vehicle to operate (by enabling the fuel injection system of the vehicle). This kind of protection system also protects cars from hotwiring, because ignition system won’t work before a successful authentication by the RFID portion of the car key. One can easily check if the car would start without a proper immobilizer authentication by wrapping aluminum foil around plastic component of the key, which creates Faraday cage and shields the key from communicating with other entities.
Using immobilizers has significantly decreased auto theft. According to the statistics published by Allianz Canada in 2001, drive-away auto theft has been decreased by 70% thanks to the immobilizers [6]. Similar Australian research from 2001 shows a high decrease in the auto theft of the cars with the immobilizers [7].
We can divide immobilizers into 2 groups: Electronic and Cryptographic. Electronic immobilizers were the first generation which used static signature type transponder. Although they lacked good entropy and were easy to spoof, this meant a huge decrease in car theft (see picture “Vehicles stolen in the US [million cars]” that was taken from [8]). Next evolution step were the cryptographic immobilizers, which use cryptographic protocols. Unfortunately, many companies still use proprietary systems with security by obscurity and hence ignore Kerckhoffs’s principle. Even contemporary proprietary systems have already been reverse-engineered and weaknesses have been found – RC4 cipher, A5/1 and A5/2 ciphers used in SIM cards in GSM phones, or other. It is reasonable to assume, that such weaknesses would also be found in immobilizers.
4.3. Remote Keyless Entry Systems (RKE)
This stand-alone system doesn’t necessarily needs to be part of the car key itself, but can just be attached to a keychain. Its main goal is to lock and unlock doors, open the trunk, or disarm the car alarm system. Older models worked in infrared band; newer ones use radio waves (UFH band of 315-433 MHz with transmission range between 10-100 meters). Either way, it needs to have power source in order to send signal to the receiver – thus this component is active one (opposed to an immobilizer). The first car which used remote central locking system was in the Renault Fuego in 1982 [10].
According to the Remote Control Encoder/Decoder’s technical manual of Texas Instruments [9], this particular RKE system work as follows:
A 40-bit rolling code (or hopping code) is used, which means there are 240 (about 1 trillion) of possible codes. This code is embedded inside chip’s memory. After pressing a button, this 40-bit code is sent along with function code (function of key that was pressed – lock the doors, unlock the doors, open the trunk …). At receiver’s end, there is also a 40-bit code stored. If these two codes match, requested function is performed. If not, nothing happens. Both ends (the transmitter and the receiver) use the same PRNG (Pseudo-Random Number Generator) to derive the next values. Every time a new code is transmitted by a transmitter or received by a receiver, PRNG of that end generates a new code which is stored in the memory. This way, both ends are synchronized. Receiver only does what it is requested to do, if an expected valid code is received from the transmitter. When however transmitter button is pressed when receiver is out of range, desynchronization occurs. This particular system however allows receiver to accept any one of next 256 possibly valid code values. Problem occurs, when the buttons on the transmitter are pressed 257 times or more – then resynchronization is needed, because the receiver will completely ignore any other values, although they might come from the legitimate source. How to do resynchronization purely depends on the company and the model of the car – it is not standardized.
4.4. Remote Keyless Ignition Systems (RKI)
Next (and so far the newest one) generation of the car keys (also called “Smart Key”, or “Passive Keyless Entry and Start Systems” – PKES), which falls into the category of active devices with their own power source, does not require any metallic key to open, nor to start a car. Doors are also usually unlocked without pressing any buttons on key – it’s enough to have key in a pocket, and touch a sensor on a door handle or trunk. This key is either in the form of a plastic card to be inserted into the ignition slot, or might not be needed to be inserted at all – just having it in the car might be enough. Only one push of the ignition button with RKI in pocked or just inside a car is needed for starting the car. Locking mechanism can be done simply by walking away from the car, or by touching the capacitive area on the door handle. Every car manufacturer uses different names for keyless system – some examples can be found on [11].
Since such “automatic” car unlocking or ignition can be dangerous, in 2005 insurance expert Thatcham introduced standard requiring such a devices not to work when they are more than 10cm away from the vehicle [12]. Failure to meet this requirement can resolve in stealing car when its owner is filling up fuel, or loading the trunk.
There are three modes of operations of this type of key – the most commonly used, normal mode, uses two radio channels – on the first one, after getting in the close proximity to the car, the car communicates via inductive coupling LF channel (120-135 kHz) to the key on one channel (its vicinity can be 1-2 meters), and the key will reply back on the second, UHF channel (315-433 MHz) even in vicinity of 50-100 meters. A car first periodically sends LF signals until the key sends its acknowledgment proximity UHF signal; then the car sends its ID number along with the challenge via LF signal, and finally, the key sends its response via the UHF signal. Active remote open door mode of operation however uses only one way messages, where to open the door one must press the key. Finally, battery depleted mode works in both directions and uses the passive component on
the key, when the main battery is depleted. This way it is needed to put the passive component near the RFID reader, and also employ metallic key in the key fob to start a car (since it works like immobilizer). You can see summary in following table (taken from [14]).
5. Radio jamming attack
This relatively easy attack aims on jamming the locking signal from the key to lock the car. Attacker has to be in the near vicinity to mount this attack. Although this does not allow a thief to steal a car, but rather to rob some valuable possessions left inside by the owner. Of course, cars make particular sound signal when they are locked, so owner should notice his car wasn’t successfully locked.
6. Successfully documented attack on DST
Although RFID keys have been used in cars for over a decade now, there are still only a few papers available which focus on the research of car keys security. One research paper in particular (Security Analysis of a Cryptographically-Enabled RFID Device) [13] had significant impact in this field and showed that tested system had major security flaw. In 2005, USA research team composed of scientists from Department of Computer Science of Johns Hopkins University and scientists from RSA laboratories, released paper which described and proved a major security vulnerability in DST (Digital Signature Transponder) manufactured by Texas Instruments. In 2005 the DST was widely used (in numbers of millions devices) in North America for car ignition systems, as well as Exxon-mobile SpeedPassTM payment transponders.
Authors of paper [13] used black-box (oracle) approach by testing an ordinary DST and observing output responses of device itself. Even without using any deeper knowledge about security system in use, and with help of only minimal RF expertise along with cheap off-the-shell equipment, they were successful in reverse-engineering cipher in challenge-response protocol in DST starting from only roughly published schematics. That means that real life attackers with some deeper knowledge or more investment could do much better in terms of the speed of breaking this particular security system. Key cracking itself was not hard even for year 2005, since DST used only 40b secret key that is programmable by RF command. Sixteen FPGA modules operating in parallel were enough to recover DST key in under an hour for arbitrary challenge-response pair (because software cracking was too slow, this hardware-based one was used). After the secret key was successfully discovered, authors tried to buy petrol at ExxonMobil station couple of times with using only a simulator (not the real key), and also started a car (2005 model Ford Escape SUV) with only a copy of the metallic portion of the ignition key. When secret key was successfully obtained, it was easy to clone the DST using cheap RF equipment by simulating responses and tricking reader into thinking it’s from legitimate tag.
6.1. Introduction to DST
A DST is passive device (containing small microchip and antenna coil in capsule), which enables long transponder life and smaller design. While talking with a reader, DST sends factory-set 24-bit key identifier and then uses challenge-response protocol to authenticate itself. The reader then transmits a 40-bit challenge, which is encrypted by DST’s 40-bit key and truncates resulting ciphertext into a 24-bit response. Thus, entire security of this system (against cloning or simulation) depends on not knowing the secret key itself. In the paper [13] the team managed to discover this secret key inside one hour and also proposed a time-space trade-off, when pre-determined challenge (chosen-plaintext attack) could reduce cracking time to matter of minutes with computer without FPGA upgrade, or even to seconds with it. Although authors said that full analysis will appear in future versions of this work, I haven’t been able to find it and I don’t know, if it was ever published.
6.2. Practical Significance of Results
Although it is clearly possible to break this security system, it is only one of the layers of protection. SpeedPassTM uses online fraud prevention which could be analogously compared to that credit cards transaction processing uses. Thanks to this, suspicious usage patterns may result in disabling or flagging SpeedPassTM device from network. This however doesn’t apply to automobile, because it’s an offline device. Successful attack on immobilizer will thus result in compromising the entire vehicle. Even though the successfully compromising of the vehicle doesn’t automatically mean it’s easy to steal, it renders it as vulnerable as the one without immobilizer. This fact itself presents a significant thread, since as noted before; introducing immobilizers meant reducing auto theft by 70%. Of course, one obstacle for potential thief can be obtaining two challenge-response pairs (because DST40 outputs only 24 bits per 40-bit challenge, at least two pairs are required for uniquely identifying secret key). This interception of signal can be done in two different ways – either by active scanning, or passive eavesdropping.
In the active scanning mode, the attacker has to bring his own malicious reader within the communication range of the attacked DST. Since RFID used in immobilizers and SpeedPassTM is designed for communicating over the short distance only (few centimeters at best), attacker has to be really close to the DST (which could be in owner’s pocket) to simulate the reader. Communication speed of DST device is about 8 queries per second, which means attacker should be able to obtain 2 pairs within only fraction (one quarter) of second. With choice of active scanning mode, the attacker can apply chosen-challenge attack and thus using pre-computed tables, decrease the overall time of finding the secret key. Therefore, a small cloning device could be build by attacker with enough knowledge and expertise from engineering, which would be portable and possibly unnoticeable. Such a device could send chosen challenges, obtain secret key and copy/simulate a DST device within a minute, although with today’s computational power it could be reduced even further. Authors of paper [13] estimated in 2005 such a device could be built for several hundred dollars and could have size of Apple iPod, but with today’s hardware and cloud computing, search of pre-computed tables could be done in only a matter of seconds. Authors also estimated that pre-computing Hellman tables would require about 10GB of storage and should have success rate 99+%. In 2005, they were in process of building these tables, but I didn’t find any follow-up papers about their results and achievements.
Passive eavesdropping is solely dependable on intercepting the signal of a valid authentication communication between the DST and the legitimate reader. A DST operates at frequency of 134.2 kHz and I was unable to find any reliable information about intercepting range at this frequency.
6.3. Reverse Engineering
Authors of paper [13] didn’t disclose full reverse-engineering details of weak cipher behind DST (called DST40), although they said when enough time passes and market won’t longer be as vulnerable to this particular weakness, they will publish the full specification of their findings. Based on only little information available from schematic from Texas Instruments (see picture published at [13]), they were able to discover how it works (although key parts of schematic were missing, or intentionally misleading/incorrect). According to the schematic (see picture), the DST40 is basically feedback shift register, where in each round inputs from challenge register and key register pass through the collection of logical units. Output value is then again put as input to the challenge register. There are three logical levels of feedback registers (let’s call first level f-box, second h-box, and third g-box). In the first level (units f1 … f16), every f-box takes either 3-bit key and 2-bit challenge or 2-bit key and 3-bit challenge. Every one of these f-boxes returns only 1-bit. Every second level
(units f17 … f20) g-box takes 4 bits output from four first level f-boxes. Finally, third level (f21) consists of only 1 functional unit and is responsible for passing result from h-box to challenge register.
Unfortunately, shown picture does not describe what is going on inside functional units (which operations are performed inside of them), nor does it tell how the routing network operates (which bits in the challenge and key registers are inputs to which functional units). Also, as described more in depth in original paper, the real implementation of DST40 differs from shown diagram. Furthermore, usage of XOR and Feistel structure was discovered in challenge register by modifying an individual challenge bit and seeing how it would affect output of the entire round. Notably it was discovered that changing 38th or 39th bit of challenge register always change the output of h-box, which along with observation that these two bits effects first and second bits of two-bit round shown usage of XOR. More details about reverse engineering can be found in original paper and would take lots of space to describe here.
7. Relay attack on PKES
More recent paper [14] focused on security of Passive Keyless Entry and Start Systems (PKES), or Remote Keyless Ignition System, or just simply Smart Key. It introduced a new model of attacking this newest type of key systems used in most recent cars. This model of attack is independent on used protocol, cryptography, modulation, strong authentication or encryption and basically relies only on sending intercepted messages over greater distance then it would be expected. Authors of this paper tested 10 vehicles from 8 manufacturers and all cars were vulnerable to this attack. They build two variants of physical-level relays – wired and wireless. Both allow attacker to enter and start a car just by relying messages without their modification between the key and the car. Also, only one-way (from the car to the key) relaying of the signal was sufficient to perform the attack, while the distance could be as much as 50 meters with no line of sight (which authors successfully tested). The key itself can also be excited from as far as 8 meters distance on some systems, which makes victim completely oblivious to attacker. Cost of mounting such an attack ranges between 100 (wired variant) and 1000 USD (wireless variant), which also makes this attack cheap and practical.
Relay attack works because of the wrong assumption of PKES system, that for opening and starting a car, a key must be in near distance to be able to communicate and authenticates itself. Thus it is wrongly presumed that verifying the correctness of the key implies its near physical proximity.
During attack, only LF band was used for relaying, since UDF communication can be eavesdropped on approximately 100m, and it’s not used for proximity detection.
7.1. Relay over the cable and over the air attack scenarios
Relay over cable attack was composed of two loop antennas connected together with a cable that relayed the
LF signal between those two antennas. Although there might not be need for it, optional amplifier can be put in the middle to improve signal strength. After antenna is placed near to the door handle, it intercepts the car beacon signal as local magnetic field. These changes in field are captured by first antenna and are passed to second antenna via cable and optionally via amplifier. Usage of amplifier mainly depends on strength of original signal, proximity of relaying antenna from car’s antenna, length of coaxial cable, or quality of antennas. When signal is sent from the second antenna and is intercepted by the key, the key itself sends direct UHF signal to car (since it works on up to 100 meters, it can be done without any other relaying of messages). At first, attacker has to put his antenna near outside sensors of car (usually in the key handle) to open a car (since car itself will send open command from external car antennas), and then move his antenna to inside of the car so that the car can send start command to its inside antennas. Since during this attack the coaxial cable needs to be present (which is far cheaper alternative), attacker might raise suspicion. Also physical obstacles like walls, doors or window might prevent this attack from being unnoticeable by other people. The picture below shows schematic of wired variant of the attack.
On the other hand, relay over the air attack addresses these problems by using air as physical medium of spreading signals, making it virtually unnoticeable to other people. It composes of the transmitter and the receiver, both operating on 2.5 GHz frequency. At first, the transmitter captures and converts the LF signal, amplifies it and sends over greater distance to the receiver. The receiver receives 2.5 GHz signal and converts it into the again amplified original LF signal. Otherwise all other procedures are the same as described with using coaxial cable. See the picture below describing wireless variant.
7.2. Delays, key response time and key response spread time
Other advantage of wireless relay attack is the smaller delay. In coaxial cable the speed is approximately 66% of the speed in the air. Amplifier adds only few nanoseconds delay, transmitter and receiver introduce approximately 15-20ns delay and the largest delay is introduced by distance (approximately 100 ns per 30 meters). Authors also tested the maximum possible delay in which a car would accept commands from the relay and came into the conclusion, that it’s between 35 µs and tens of milliseconds, depending on the car manufacturer and model. This means that theoretical distance of over the air relay attack could be between 10 and 3 000 km.
Closely interconnected with the delay is the key response time. This indicates the time passed between the moment of the car sending the challenge and the moment when the key starts its response. The spread time means the difference between the minimum and the maximum key response times. Thanks to these values and estimation can be made about the maximum delay without detection being possible. It was discovered, that in evaluated PKES systems there is no detection possible because of too high values of acceptable delays. Therefore solution based on measurements of the average key response time for discovering relay attacks are infeasible. The smallest response system had spread time 11 µs, while relaying wireless signal 30 m took only about 120 ns in one direction. Based on the results it’s also noticeable, that manufacturers set maximum acceptable delay to 20-50 times of the measured spread, most likely to provide higher reliability. Exact numbers can be seen in table taken from [14].
7.3. Examples of the attack scenarios
PKES is responsible for locking car when its owner with key leaves few meters radius of his car. What can however happen is, that attacker can install one of his antennas in near vicinity of some point owner has to go near or through (elevator from underground passage, doors, paying machine…). While the car is left by the owner locked and in the parking zone, attacker can place the second antenna near outside sensors (door handle). In doing so, the signal can now be relayed once owner of the car walks near the first antenna. Key will thus receive the signal from the car to which it replies with open command. Since the messages from the key are sent over the UHF which has long distance coverage, they can reach car without any difficulties up to 100 meters. Car will therefore be unlocked; attacker can move his second antenna into the car near start button and start it. Once the car is started, there are no mechanisms (for safety reasons) which would stop the car if PKES relay was removed from a car and stopped communicating with legitimate key. Since there would be no physical evidence of tampering with car, and even security surveillance might indicate using the correct key, it may be hard to prove owner didn’t collaborate with a thief.
8. Counter measures
8.1. Faraday’s cage
Any RFID based wireless system can and should be put inside an aluminum foil or other protective metallic sheath which would prevent it from sending or receiving any radio communication signals. This applies to immobilizers, RKE and RKI systems. The only problem with this solution is loosing comfortability since RKE and RKI systems don’t require any interaction at all. Every time the owner wants to use the car, he would have to get the key out of the Faraday’s cage and thus loosing full convenience of keyless systems. Faraday’s cage is also recommended for other RFID based devices as well.
8.2. Removing battery
Safer solution than using Faraday’s cage which applies only to active components (and thus not immobilizers) is removing or disabling the power source. Keyless systems would then return to mode with backup physical keys (which are usually hidden inside the wireless key fob in case battery becomes dead).
8.3. Changes by manufacturers
Since users themselves can hardly do anything with insecure systems, it’s up to manufacturers to implement more secure protocols, better cryptography, stronger keys and authentication or additional mechanisms for detecting relying attacks.
Keyless systems could have their software slightly modified to add following functionality: if a user was to lock car by pressing key, PKES could stay disabled. This could be used in insecure places like public parking areas and would require pressing button of fob again to unlock the car. If however user would be in the secured environment, like his own garage, he could lock the car by walking away from it or touching a button on a door handle, PKES system would remain active and car would allow keyless entry again.
Other proposition could be to implement access control restrictions, when for example trying to open car doors by handle without proper presence of the key in the near vicinity would resolve in stopping sending all signals from car, or even setting off the alarm system. That way, possible relaying attack on PKES would have to be perfectly timed.
Introducing a new switch to key which would disconnect the battery would also be valuable. Using the distance bounding protocols would help in solving relaying attacks. In such protocols, verifier
measures the upper-bound on his distance to the prover. Attacker hence can’t convince both that they are closer than they really are, only further [15]. This kind of protocols works by exchanging messages between both entities by rapid speed. Verifier sends challenge to prover and after some processing time, prover replies. Verifier measures round trip time between sending challenge and receiving response, subtracts prover’s processing time and computes the distance between this two entities. Since the verifier sends unpredictable challenges (which introduce freshness and authentication into this protocol) and the prover has to take them into account when replying to the challenge, the attacker can’t easily spoof the correct responses in shorter time and thus tricking both entities into believing they are closer. Of course, systems have to be able to measure distance with variance as small as possible. If we take speed of light c and we say that user should be as near as 1 meter from car, we will get round trip time 2/c = 6 ns. If we could have systems in few orders of magnitude better, like in recent paper on RF distance bounding that shows a small variance of 62 ps [16]; it would meet the requirements in PKES distance bounding.
9. Different key lengths
TI DST 40b TI DST 80b Philips/NXP Hitag 2 48b Philips SECT 128b EM Micro Megamos 96b
Different manufacturers employ different key lengths, but most of them share vulnerability by design: the key
lengths are less than 128b. Brute-force can therefore be applied to shorter keys without any additional knowledge. This example is breaking 40b cipher DST40 already in 2005. With the deeper understanding of the cryptography, cryptanalysis can be applied no matter the key lengths. Hitag 2 has such vulnerability [8] because its authentication function violates several stream cipher design principles. Since this cipher has 48 bits and uses only XOR operation, its complexity is very limited (linear). After that it’s made more complex by using the binary lookup function which takes the chains of XOR of original 48 unknowns and jumbles them up together. If we use SAT solution solvers to solve our equations, instead of brute-forcing 248 of different guesses, only couple of thousands are now needed which can be solved in under a minute. Tree if how it works is shown on the following picture and described more on webpage [17]. This approach however saves roughly 30 bits of complexity, which still doesn’t make it feasible to attack Megamos cipher with its 96b key.
The other matter are rolling codes used in Hitag 2, which flip only 1 bit in every other instance and that is
extremely easy to break from only a few instances. Opposed to Hitag 2 which possess security flaw in cryptographic structure, trying this approach of solving
SAT didn’t work on DST40 cipher which means, it has good cryptographic structure. Moving to 80 bits was probably good idea, because known vulnerability with DST40 was only key length.
Despite known weaknesses in DST40 cipher, there was probably no car stolen so far by exploitation of this weakness. That’s mainly because while challenge-response protocol runs, it sends random number and to get something from cryptanalysis on random number is infeasible.
10. Security flaw in Megamos challenge-response protocol
Classic handshake protocol uses 3-way handshake. Megamos however “optimized” protocol to only use two messages (as you can see on picture downloaded from [17]), which resulted in a vulnerability. They combined sending of challenge (random number) and encryption of that random number into one message, thus making it no more replay resistant.
11. Conclusion
Although RIFD in car keys has been used for more than two decades now and it helped significantly with coping against car theft, new ways of attacks keep showing up. Many companies still use proprietary ciphers and protocols, because no one in this market wants to use AES, since it would resolve in something compatible with everybody else. Keys can be copied thanks to certain vulnerabilities, which can be used for example in insurance fraud (I copy my key, give it to the thief and show insurance company I still have all my keys and I couldn’t help in theft). Also cars are stolen today based on the vulnerabilities in car controller; thanks to which the new keys can be programmed over CAN bus [18]. First it’s possible to easily send message to shut down the entire alarm system; then as shown at the video [18] the buffer overflow attack to firmware is mounted in some obscure function in trunk. After it occurs, author simply deletes everything so that car seems like it was new from the factory and since it has no keys associated with it yet, the car wants some key to make association with. After that, any key can be associated with the car and it can be easily stolen.
12. Resources
[1] LOZIER, Herbert. 90 Firsts in American Automotive History. Popular Science. New York: Time4
Media, 1964, pp. 81-83. Available from: https://encrypted.google.com/books?id=_iwDAAAAMBAJ&pg=PA80&lpg=PA80&dq=automotive+firsts&source=bl&ots=HmsMDH-dRn&sig=7e_6YR85hodR-Wm50gtphsei23s&hl=en&ei=G1NwTLPRG8Tflgf68OTODg&sa=X&oi=book_result&ct=result&resnum=8&ved=0CDcQ6AEwBw#v=onepage&q&f=false
[2] WHITTAKER, Wayne. Chrisler Family Debut. Popular Mechanics Magazine. 1949, vol. 91, no. 4, pp.
118-123. Available from: https://encrypted.google.com/books?id=SNkDAAAAMBAJ&lpg=PA118&ots=AMEvo2dVrL&dq=chrysler%201949%20ignition&pg=PA123#v=onepage&q&f=false
[3] What is an immobilizer system?. [online]. [cit. 2014-04-25]. Available from:
http://wiki.answers.com/Q/What_is_an_immobilizer_system [4] What Your Clothes Say About You. BATISTA, Elisa. [online]. 03.12.2003 [cit. 2014-04-25]. Available
from: http://archive.wired.com/gadgets/wireless/news/2003/03/58006 [5] GARFINKEL, S.L., A. JUELS a R. PAPPU. RFID Privacy: An Overview of Problems and Proposed
Solutions. IEEE Security and Privacy Magazine [online]. 2005, vol. 3, issue 3, pp. 34-43 [cit. 2014-04-25]. DOI: 10.1109/MSP.2005.78. Available from: http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=1439500
[6] Insurance Marketing Information from Canada: Allianz Canada Encourages Customers to Fight Auto Theft. ALLIANZ. [online]. 20.06.2001 [cit. 2014-04-25]. Available from: http://www.insurance-canada.ca/market/canada/Allianz200107.php
[7] POTTER, Robert a Paul THOMAS. NATIONAL MOTOR VEHICLE THEFT REDUCTION COUNCIL. ENGINE IMMOBILISERS: HOW EFFECTIVE ARE THEY? [online]. 18.10.2001[cit. 25.04.2014]. Available from: http://www.ocsar.sa.gov.au/docs/cars/11.pdf
[8] NOHL, Karsten. Car immobilizer hacking. In: RESEARCH SECURITY LABS. [online]. [cit. 2014-04-25]. Available from: https://sigint.ccc.de/schedule/system/attachments/2015/original/130705.K_Nohl-Sigint-Immobilizer_hacking.pdf
[9] TEXAS INSTRUMENTS. TRC 1300, TRC1315 Marcstar I A/D remote control encoder/decoders. [online]. august 1996, january 1997 [cit. 2014-04-25]. SLWS011D. Available from: http://www.ti.com/lit/ds/slws011d/slws011d.pdf
[10] 1980-1985 RENAULT Fuego Turbo: Model specs. [online]. [cit. 2014-04-25]. Available from: http://www.classicandperformancecar.com/front_website/octane_interact/carspecs.php/?see=3341
[11] Smart key: Nomenclature. In: Wikipedia: the free encyclopedia [online]. San Francisco (CA): Wikimedia Foundation, 2001- [cit. 2014-04-25]. Available from: http://en.wikipedia.org/w/index.php?title=Smart_key&oldid=603251862
[12] Micra's Top Of The Fobs. MUSTARD, Marc. [online]. 13.06.2005 [cit. 2014-04-25]. Available from: http://www.autoexpress.co.uk/car-news/24345/micras-top-fobs [13] Security Analysis of a Cryptographically-Enabled RFID Device.pdf
[14] FRANCILLON, Aurélien, Boris DANEV a Srdjan CAPKUN. Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars. In: [online]. NDSS Symposium 2011, 07.02.2011 [cit. 2014-04-25]. Available from: https://eprint.iacr.org/2010/332.pdf
[15] J. Clulow, G. P. Hancke, M. G. Kuhn, and T. Moore. So near and yet so far: Distance-bounding attacks in wireless networks. In Proceedings of the European Workshop on Security and Privacy in Ad-hoc and Sensor Networks (ESAS), 2006.
[16] K. B. Rasmussen and S. Capkun. Realization of RF distance bounding. In Proc. of the 19th USENIX Security Symposium, 2010.
[17] Cryptographic problems are reduced to their true hardness by SAT solvers. SECURITY RESEARCH LABS. [online]. [cit. 2014-04-25]. Available from: https://srlabs.de/minisat-intro/
[18] New AUDI Key Programming demonstration. EDILOCK LTD. [online]. https://www.youtube.com/watch?v=WGsWCdg3fQU [cit. 2014-04-25].
