Cryptology ePrint Archive: Report 2012/617

Security Analysis of an Open Car Immobilizer Protocol Stack

Stefan Tillich and Marcin Wójcik

Abstract: An increasing number of embedded security applications---which traditionally have been heavily reliant on secret and/or proprietary solutions---apply the principle of open evaluation. A recent example is the specification of an open security protocol stack for car immobilizer applications by Atmel, which has been presented at ESCAR 2010. This stack is primarily intended to be used in conjunction with automotive transponder chips of this manufacturer, but could in principle be deployed on any suitable type of transponder chip. In this paper we re-evaluate the security of this protocol stack. We were able to uncover a number of security vulnerabilities. We show that an attacker with a cheap standard reader close to such a car key can track it, lock sections of its EEPROM, and even render its immobilizer functionality completely useless. After eavesdropping on a genuine run of the authentication protocol between the car key and the car, an attacker is enabled to read and write the memory of the car key. Furthermore, we point out the threats of relay attacks and session hijacking, which require slightly more elaborate attack setups. For each of the indicated attacks we propose possible fixes and discuss their overhead.

Category / Keywords: implementation / Security, car immobilizer, protocols, openness, analysis

Publication Info: Previous versions of this paper have been published at the industrial track of ACNS 2012 (peer review, no formal proceedings), INTRUST 2012 (peer review, Springer LNCS formal proceedings), as an invited paper at WESS 2012 (no peer review, inclusion in ACM formal proceedings pending on permission from Springer), and ESCAR 2012 (peer review, no formal proceedings).

Date: received 31 Oct 2012, last revised 2 Nov 2012

Contact author: stefanti at gmx at

Available format(s): PDF | BibTeX Citation

Note: This is the full version of the paper. It includes a discussion of the use of various commands for tracking and an additional countermeasure against replay attacks.

Version: 20121102:110042 (All versions of this report)

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]