Abstract

Abstract: The Megamos Crypto transponder is used in one of the most widely deployed electronic vehicle immobilizers. It is used among others in most Audi, Fiat, Honda, Volkswagen and Volvo cars. Such an immobilizer is an anti-theft device which prevents the engine of the vehicle from starting when the corresponding transponder is not present. This transponder is a passive RFID tag which is embedded in the key of the vehicle.

In this paper we have reverse-engineered all proprietary security mechanisms of the transponder, including the cipher and the authentication protocol which we publish here in full detail. This article reveals several weaknesses in the design of the cipher, the authentication protocol and also in their implementation. We exploit these weaknesses in three practical attacks that recover the $96$-bit transponder secret key. These three attacks only require wireless communication with the system.

Bio: Flavio Garcia is a Senior Lecturer and Senior Birmingham Fellow at the University of Birmingham. His work focuses on the design and evaluation of cryptographic primitives and protocols for embedded devices like automotive key fobs and smart cards. His research achievements include breakthroughs such as the discovery of vulnerabilities in four of the most widely used contactless smart cards, the Mifare Classic, HID iClass, and Atmel’s SecureMemory and CryptoRF. The first of these, Mifare Classic, was widely used for electronic payment (e.g. Oyster Card) and access control (e.g. Amsterdam Airport). Garcia’s work has been widely recognized as world leading including an “Outstanding Paper Award” from IEEE Security & Privacy (Oakland).