1
00:00:01,850 --> 00:00:10,220
Hello, welcome back to this course, in this lesson, I will talk about replay attacks and relative countermeasures.

2
00:00:11,120 --> 00:00:18,110
Replay attacks consist in the passive interception of data traffic by an attacker between a source and a

3
00:00:18,110 --> 00:00:26,150
destination and a subsequent retransmission of this data traffic from the attacker to the destination.

4
00:00:26,690 --> 00:00:34,370
The graphics show a possible typical scenario of replay attack to a remote car opening system.

5
00:00:37,510 --> 00:00:46,150
A rolling code, or sometimes called a hopping code, is used in modern remote keyless entry (RKE) systems

6
00:00:46,150 --> 00:00:48,130
to prevent replay attacks.

7
00:00:48,790 --> 00:00:55,690
The principle is to transmit, in addition to a fixed part of the code, a variable component that

8
00:00:55,690 --> 00:01:02,860
changes at each transmission on the basis of a known algorithm between source and transmitter and on

9
00:01:02,860 --> 00:01:08,890
the basis of a counter that keeps track of the number of generations of the variable part.

10
00:01:11,110 --> 00:01:19,170
For example, of the car opening system, the key fob has a counter built-in that increments by one,

11
00:01:19,210 --> 00:01:26,350
every time the button is pressed, and this counter value is encrypted and transmitted to the car. The

12
00:01:26,350 --> 00:01:33,730
car remembers what the count was last time the doors were successfully unlocked, for example (i)

13
00:01:34,300 --> 00:01:41,770
and next time it receives a signal, decrypts the counter value and it checks that the count is somewhere

14
00:01:41,770 --> 00:01:51,910
between i+1 and i+n, where n could be any manufacturer-defined number between approximately

15
00:01:52,480 --> 00:01:55,660
16 and 256.

16
00:01:58,300 --> 00:02:03,700
This just in case the fob has been pressed away from the car.

17
00:02:07,720 --> 00:02:17,350
Both the fob and the car store the secret encryption key that enabled this process to take place. To

18
00:02:17,350 --> 00:02:18,760
anybody sniffing

19
00:02:19,120 --> 00:02:30,970
the data sent from the FOB, it appears to send a chunk of statistically random data. In the UK and Europe

20
00:02:30,970 --> 00:02:39,370
RKE key fobs typically transmit on four hundred thirty three megahertz, while in the United States

21
00:02:39,370 --> 00:02:46,180
and Japan they transmit on three hundred fifty megahertz.

22
00:02:49,310 --> 00:02:59,390
One popular RKE system that several manufacturers use, is the Keeloq system, developed by Microchip.

23
00:03:00,240 --> 00:03:09,710
Looking at it simply, all the manufacturer needs to do is feed the current counter value into the Keeloq

24
00:03:09,710 --> 00:03:15,160
chip, which then handles the encryption. At the other hand in the car,

25
00:03:15,230 --> 00:03:25,040
similar chip handles the decryption. The hopping code portion on the right, in the figure,

26
00:03:25,400 --> 00:03:28,450
is the encrypted section of the message.

27
00:03:28,970 --> 00:03:39,230
This encrypted section contains the synchronization counter, as discussed above, a discrimination section ('DISC'

28
00:03:39,380 --> 00:03:47,450
typically the lower 10 bits of the serial number) and details of the button pressed on the

29
00:03:47,450 --> 00:03:48,260
remote ('BUT').

30
00:03:49,670 --> 00:03:57,650
The discrimination section is used by the decryptor in the car to check that the message was decoded

31
00:03:57,650 --> 00:03:58,700
successfully.

32
00:03:59,390 --> 00:04:05,540
As can be seen, the serial number of the key fob is transmitted without encryption.

33
00:04:05,900 --> 00:04:11,870
The car can be sure it has decrypted the counter correctly

34
00:04:12,560 --> 00:04:18,020
if the descripted DISC section matches the unencrypted serial number.

35
00:04:19,430 --> 00:04:29,180
Even if a car key fob doesn't use the exact Keeloq algorithm as discussed above, it will almost

36
00:04:29,180 --> 00:04:33,380
certainly always follow a similar format.

37
00:04:33,800 --> 00:04:42,530
The serial number of the fob will be transmitted unencrypted, alongside an encrypted section that contains

38
00:04:42,710 --> 00:04:43,670
the counter.

39
00:04:46,800 --> 00:04:55,890
A possible attack on a rolling code systems (called  Rolljam Reply Attack) has been reported,

40
00:04:55,890 --> 00:05:05,700
which consists in the attacker's use of a device that intercepts and stores the release messages and at

41
00:05:05,700 --> 00:05:14,460
the same time with a jamming attack, prevents the receiver from receiving them, forcing the transmitter

42
00:05:14,460 --> 00:05:17,130
to retransmit the message.

43
00:05:17,910 --> 00:05:21,710
Then the attacker retransmits to the destination

44
00:05:21,720 --> 00:05:29,250
the first rolling code message sent by the source, but not arrive due to the disturbing action,

45
00:05:29,820 --> 00:05:36,180
then keeping the second intercepted message memorized for future use.

46
00:05:38,030 --> 00:05:46,670
Remote control locks have to meet price-point, reliability, convenience, size, power and performance

47
00:05:46,670 --> 00:05:56,960
concernes. A pair of radios could perform a very secure TLS 1.2 key exchange, but transmitting

48
00:05:56,960 --> 00:05:58,460
too many

49
00:05:58,460 --> 00:06:07,640
bytes over 433 megahertz using current protocols and electronics would take thousand

50
00:06:07,640 --> 00:06:08,900
of milliseconds.

51
00:06:09,650 --> 00:06:15,770
Such a lengthy message would likely trigger dozens of packet resends due to interference,

52
00:06:16,830 --> 00:06:25,010
and typical cell battery in typical remote wouldn't have enough power to last for a long time.

53
00:06:26,200 --> 00:06:28,810
So this is a problem.

54
00:06:31,480 --> 00:06:35,680
OK, thank you for your kind attention, bye.