KeeLoq is a RFID system that protects many anti-theft cards, and garage openers. Already some published cryptanalysis highlighted the weaknesses of the cipher. But the attack were not practical. A group of six German and Iranian researchers designed a set of very practical attacks.
Using Differential Power Attack (DPA), they were able to extract the device key . What is impressive is that they did the attack without the knowledge of the chip. They were working with a black box. For instance, they had to guess when the encryption process occurred. They extract the device key in less than one hour Of course, DPA required physical access to the emitting device. The performed a similar attack to extract the manufacturer from the receiver. It took less than one day.
With this information, by eavesdropping a receiver, it is possible to impersonate it. They extract the seed, the secret and the current counter value. The counter value has to been “loosely” synchronized with the one of the receiver. Of course, by impersonating the emitter, it is easy to desynchronize the receiver from the genuine emitter. The owner of the genuine emitter will have to push his key 2^15 times to open his door. Nice denial of service.
This is the second hack of RFID security in a month. Recently it was NXP Mifare that was hacked. Once more, the security of a RFID was too weak. It has at least two types of known flaws:
- a weak LFSR based cipher
- No protection against side channel attacks.
The industry of secure processors is aware of these types of weaknesses for about one decade and fights them. It is time, that RFID industry adapts also to them. Is it compatible with the price constraints.
A paper at Eurocrypt08 will present this attack. The details of the attacks are available on Ruhr University site