Paper 2013/598

Fuming Acid and Cryptanalysis: Handy Tools for Overcoming a Digital Locking and Access Control System - Full Version

Daehyun Strobel, Benedikt Driessen, Timo Kasper, Gregor Leander, David Oswald, Falk Schellenberg, and Christof Paar


We examine the widespread SimonsVoss digital locking system 3060 G2 that relies on an undisclosed, proprietary protocol to mutually authenticate transponders and locks. For assessing the security of the system, several tasks have to be performed: By decapsulating the used microcontrollers with acid and circumventing their read-out protection with UV-C light, the complete program code and data contained in door lock and transponder are extracted. As a second major step, the multi-pass challenge-response protocol and corresponding cryptographic primitives are recovered via low-level reverse-engineering. The primitives turn out to be based on DES in combination with a proprietary construction. Our analysis pinpoints various security vulnerabilities that enable practical key-recovery attacks. We present two different approaches for unauthorizedly gaining access to installations. Firstly, an attacker having physical access to a door lock can extract a master key, allowing to mimic transponders, in altogether 30 minutes. A second, purely logical attack exploits an implementation flaw in the protocol and works solely via the wireless interface. As the only prerequisite, a valid ID of a transponder needs to be known (or guessed). After executing a few (partial) protocol runs in the vicinity of a door lock, and some seconds of computation, an adversary obtains all of the transponder’s access rights.

Available format(s)
Secret-key cryptography
Publication info
A major revision of an IACR publication in CRYPTO 2013
Access controlelectronic lockreverse-engineeringrealworld attackhardware attackcryptanalysiswireless door openers
Contact author(s)
daehyun strobel @ rub de
2013-09-19: received
Short URL
Creative Commons Attribution


      author = {Daehyun Strobel and Benedikt Driessen and Timo Kasper and Gregor Leander and David Oswald and Falk Schellenberg and Christof Paar},
      title = {Fuming Acid and Cryptanalysis: Handy Tools for Overcoming a Digital Locking and Access Control System - Full Version},
      howpublished = {Cryptology ePrint Archive, Paper 2013/598},
      year = {2013},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.