Jing Li,Yabo Dong,Shengkai Fang,Haowen Zhang,Duanqing Xu

DOI: https://doi.org/10.3390/s20164446

IF: 3.9

2020-01-01

Sensors

Abstract:In modern cars, the Passive Keyless Entry and Start system (PKES) has been extensively installed. The PKES enables drivers to unlock and start their cars without user interaction. However, it is vulnerable to relay attacks. In this paper, we propose a secure smartphone-type PKES system model based on user context detection. The proposed system uses the barometer and accelerometer embedded in smartphones to detect user context, including human activity and door closing event. These two types of events detection can be used by the PKES to determine the car owner's position when the car receives an unlocking or a start command. We evaluated the performance of the proposed method using a dataset collected from user activity and 1526 door closing events. The results reveal that the proposed method can accurately and effectively detect user activities and door closing events. Therefore, smartphone-type PKES can prevent relay attacks. Furthermore, we tested the detection of door closing event under multiple environmental settings to demonstrate the robustness of the proposed method.

Tobias Glocker,Timo Mantere,Mohammed Elmusrati

DOI: https://doi.org/10.48550/arXiv.1612.00993

2016-12-04

Abstract:In our modern society comfort became a standard. This comfort, especially in cars can only be achieved by equipping the car with more electronic devices. Some of the electronic devices must cooperate with each other and thus they require a communication channel, which can be wired or wireless. In these days, it would be hard to sell a new car operating with traditional keys. Almost all modern cars can be locked or unlocked with a Remote Keyless System. A Remote Keyless System consists of a key fob that communicates wirelessly with the car transceiver that is responsible for locking and unlocking the car. However there are several threats for wireless communication channels. This paper describes the possible attacks against a Remote Keyless System and introduces a secure protocol as well as a lightweight Symmetric Encryption Algorithm for a Remote Keyless Entry System applicable in vehicles.

Information Theory,Cryptography and Security

Kyungho Joo,Wonsuk Choi,Dong Hoon Lee

DOI: https://doi.org/10.48550/arXiv.2003.13251

2020-03-30

Cryptography and Security

Abstract:Recently, the traditional way to unlock car doors has been replaced with a keyless entry system which proves more convenient for automobile owners. When a driver with a key fob is in the vicinity of the vehicle, doors automatically unlock on user command. However, unfortunately, it has been shown that these keyless entry systems are vulnerable to signal relaying attacks. While it is evident that automobile manufacturers incorporate preventative methods to secure these keyless entry systems, they continue to be vulnerable to a range of attacks. Relayed signals result in valid packets that are verified as legitimate, and this makes it is difficult to distinguish a legitimate door unlock request from a malicious signal. In response to this vulnerability, this paper presents an RF fingerprinting method (coined HOld the DOoR, HODOR) to detect attacks on keyless entry systems the first attempt to exploit the RF fingerprint technique in the automotive domain. HODOR is designed as a sub authentication method that supports existing authentication systems for keyless entry systems and does not require any modification of the main system to perform. Through a series of experiments, the results demonstrate that HODOR competently and reliably detects attacks on keyless entry systems. HODOR achieves both an average false positive rate (FPR) of 0.27 percent with a false negative rate (FNR) of 0 percent for the detection of simulated attacks, corresponding to current research on keyless entry car theft.

Wei Xin,Tao Yang,Cong Tang,Jianbin Hu,Zhong Chen

DOI: https://doi.org/10.1109/IMCCC.2011.115

2011-01-01

Abstract:This Radio Frequency Identification (RFID) systems suffer from different security and privacy problems, among which relay attack is a hot topic recently. A relay attack is a type of attack related to man-in-the-middle and replay attacks, in which an attacker relays verbatim a message from the sender to a valid receiver of the message. The sender may not be aware of even sending the message to the attacker. The main countermeasure against relay attack is the use of distance bounding protocols measuring the round-trip time between the reader and the tag. In this paper, we consider a modification of these protocols using `error state' which stands for the number of response bit errors that have already occurred. We set a maximal error number to prevent adversary from malicious queries, we also apply a punishment mechanism for error responding, which to my best knowledge is proposed at the first time in distance bounding protocols, if the tag sends one error bit, it should respond one more challenge bit to successfully finish the protocol. By using error state and punishment mechanism, the success probability for an adversary to access to the system decreases. Finally, we use the Hancke and Kuhn's protocol as a comparison, to show the improvements achieved when different cases are analyzed.

Shlomi Dolev,Nisha Panwar

DOI: https://doi.org/10.48550/arXiv.1807.11685

2018-07-31

Abstract:Peripheral authentication is an important aspect in the vehicle networks to provide services to only authenticated peripherals and a security to internal vehicle modules such as anti-lock braking system, power-train control module, engine control unit, transmission control unit, and tire pressure monitoring. In this paper a three-way handshake scheme is proposed for a vehicle to a keyfob authentication. A keyfob is a key with a secure hardware that communicates and authenticates the vehicle over the wireless channel. Conventionally, a vehicle to keyfob authentication is realized through a challenge-response verification protocol. An authentic coupling between the vehicle identity and the keyfob avoids any illegal access to the vehicle. However, these authentication messages can be relayed by an active adversary, thereby, can amplify the actual distance between an authentic vehicle and a keyfob. Eventually, an adversary can possibly gain access to the vehicle by relaying wireless signals and without any effort to generate or decode the secret credentials. Hence, the vehicle to keyfob authentication scheme must contain an additional attribute verification such as physical movement of a keyfob holder. Our solution is a two-party and three-way handshake scheme with proactive and reactive commitment verification. The proposed solution also uses a time interval verification such that both vehicle and keyfob would yield a similar locomotion pattern of a dynamic keyfob within a similar observational time interval. Hence, the solution is different from the distance bounding protocols that require multiple iterations for the round-trip delay measurement. The proposed scheme is shown to be adaptable with the existing commitment scheme such as Schnorr identification scheme and Pedersen commitment scheme.

Cryptography and Security

Paul Staat,Kai Jansen,Christian Zenger,Harald Elders-Boll,Christof Paar

DOI: https://doi.org/10.48550/arXiv.2202.06554

2022-04-04

Abstract:Today, we use smartphones as multi-purpose devices that communicate with their environment to implement context-aware services, including asset tracking, indoor localization, contact tracing, or access control. As a de-facto standard, Bluetooth is available in virtually every smartphone to provide short-range wireless communication. Importantly, many Bluetooth-driven applications such as Phone as a Key (PaaK) for vehicles and buildings require proximity of legitimate devices, which must be protected against unauthorized access. In earlier access control systems, attackers were able to violate proximity-verification through relay station attacks. However, the vulnerability of Bluetooth against such attacks was yet unclear as existing relay attack strategies are not applicable or can be defeated through wireless distance measurement. In this paper, we design and implement an analog physical-layer relay attack based on low-cost off-the-shelf radio hardware to simultaneously increase the wireless communication range and manipulate distance measurements. Using our setup, we successfully demonstrate relay attacks against Bluetooth-based access control of a car and a smart lock. Further, we show that our attack can arbitrarily manipulate Multi-Carrier Phase-based Ranging (MCPR) while relaying signals over 90 m.

Cryptography and Security

Pedro Peris-Lopez,Julio C. Hernandez-Castro,Christos Dimitrakakis,Aikaterini Mitrokotsa,Juan M. E. Tapiador

DOI: https://doi.org/10.48550/arXiv.0906.4618

2009-06-25

Cryptography and Security

Abstract:The vast majority of RFID authentication protocols assume the proximity between readers and tags due to the limited range of the radio channel. However, in real scenarios an intruder can be located between the prover (tag) and the verifier (reader) and trick this last one into thinking that the prover is in close proximity. This attack is generally known as a relay attack in which scope distance fraud, mafia fraud and terrorist attacks are included. Distance bounding protocols represent a promising countermeasure to hinder relay attacks. Several protocols have been proposed during the last years but vulnerabilities of major or minor relevance have been identified in most of them. In 2008, Kim et al. [1] proposed a new distance bounding protocol with the objective of being the best in terms of security, privacy, tag computational overhead and fault tolerance. In this paper, we analyze this protocol and we present a passive full disclosure attack, which allows an adversary to discover the long-term secret key of the tag. The presented attack is very relevant, since no security objectives are met in Kim et al.'s protocol. Then, design guidelines are introduced with the aim of facilitating protocol designers the stimulating task of designing secure and efficient schemes against relay attacks. Finally a new protocol, named Hitomi and inspired by [1], is designed conforming the guidelines proposed previously.

Jie Wang,Shengbao Wang,Kang Wen,Bosen Weng,Xin Zhou,Kefei Chen

DOI: https://doi.org/10.3390/electronics13061109

IF: 2.9

2024-03-19

Electronics

Abstract:Dynamic wireless charging emerges as a promising technology, effectively alleviating range anxiety for electric vehicles in transit. However, the communication between the system's various components, conducted over public channels, raises concerns about vulnerability to network attacks and message manipulation. Addressing data security and privacy protection in dynamic charging systems thus becomes a critical challenge. In this article, we present an authentication protocol tailored for dynamic charging systems. This protocol ensures secure and efficient authentication between vehicles and roadside devices without the help of a trusted center. We utilize a physical unclonable function (PUF) to resist physical capture attacks and employ the elliptic curve discrete logarithm problem (ECDLP) to provide forward security protection for session keys. We validated the security of our proposed scheme through comprehensive informal analyses, and formal security analysis using the ROR model and formal analysis tool ProVerif. Furthermore, comparative assessments reveal that our scheme outperforms other relevant protocols in terms of efficiency and security.

engineering, electrical & electronic,computer science, information systems,physics, applied

Wolfgang Issovits,Michael Hutter

DOI: https://doi.org/10.1109/rfid-ta.2011.6068658

2011-09-01

Abstract:RFID and NFC are widely spread contactless communication systems and are commonly used in security-critical applications such as payment and keyless-entry systems. Relay attacks pose a serious threat in this context that are not addressed by most of the RFID applications in use today. The attacks circumvent application-layer security and they cannot be prevented by the usual cryptographic primitives. In this paper, we will present a practical implementation of a relay attack based on systems using the widely used ISO/IEC 14443 standard. We use an off-the-shelf mobile phone and a self-developed RFID-tag emulator that can forward RFID communication over a Bluetooth channel. We will show that the attack succeeded and discuss various methods how to exploit certain mechanisms of the ISO protocol to increase the chance for a successful attack. We will also give recommendations to protect against relay attacks in practice while still complying to the ISO standard which is not considered by most of the proposed countermeasures given in literature.

Hengchuan Tan,Maode Ma,Houda Labiod,Aymen Boudguiga,Jun Zhang,Peter Han Joo Chong

DOI: https://doi.org/10.1109/TVT.2016.2621354

2017-12-28

Abstract:Public key infrastructure (PKI) is the most widely used security mechanism for securing communications over the network. However, there are known performance issues, making it unsuitable for use in vehicular networks. In this paper, we propose a secure and authenticated key management protocol (SA-KMP) to overcome the shortcomings of the PKI. The SA-KMP scheme distributes repository containing the bindings of the en-tity's identity and its corresponding public key to each vehicle and road side unit. By doing so, certificate exchanges and certificate revocation lists are eliminated. Furthermore, the SA-KMP scheme uses symmetric keys derived based on a 3-D-matrix-based key agreement scheme to reduce the high computational costs of using asymmetric cryptography. We demonstrate the efficiency of the SA-KMP through performance evaluations in terms of transmission and storage overhead, network latency, and key generation time. Analytical results show that the SA-KMP is more scalable and outperforms the certificate-based PKI. Simulation results indicate that the key generation time of the SA-KMP scheme is less than that of the existing Elliptic Curve Diffie--Hellman and Diffie--Hellman protocols. In addition, we use Proverif to prove that the SA-KMP scheme is secure against an active attacker under the Dolev and Yao model and further show that the SA-KMP scheme is secure against denial of service, collusion attacks, and a wide range of other malicious attacks.

Cryptography and Security

Wei Xin,Cong Tang,Hu Xiong,Yonggang Wang,Huiping Sun,Zhi Guan,Zhong Chen

DOI: https://doi.org/10.3233/978-1-60750-722-2-129

2011-01-01

Abstract:Radio Frequency Identification (RFID) systems suffer from different security and privacy problems, among which relay attacks are a hot topic recently. A relay attack is a form of man-in-the-middle (MITM) attack where the adversary manipulates the communication by only relaying the verbatim messages between two parties. The main countermeasure against relay attacks is the use of distance bounding protocols measuring the round-trip time between the reader and the tag, more precisely, it uses bit exchanges for a series of rapid challenge-response rounds in RFID systems. In 2005, Hancke and Kuhn first introduced distance bounding protocol into RFID systems, after that, many schemes have been proposed based on this protocol. However, most schemes tend to a more complex design to decrease adversary's success probability. In this paper, we propose a novel distance bounding protocol named MEED, using only 2n bits of memory, which, to our best knowledge, is equal to Hancke and Kuhn's protocol and less than any existing protocols. In addition, by using our protocol, the tag is able to detect adversary's malicious queries. We also make a comparison with typical previous distance bounding protocols in both memory and mafia fraud success probability.

Lu Wei,Jie Cui,Yan Xu,Jiujun Cheng,Hong Zhong

DOI: https://doi.org/10.1109/tifs.2020.3040876

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Owing to the development of wireless communication technology and the increasing number of automobiles, vehicular ad hoc networks (VANETs) have become essential tools to secure traffic safety and enhance driving convenience. It is necessary to design a conditional privacy-preserving authentication (CPPA) scheme for VANETs because of their vulnerability and security requirements. Traditional CPPA schemes have two deficiencies. One is that the communication or storage overhead is not sufficiently low, but the traffic emergency message requires an ultra-low transmission delay. The other is that traditional CPPA schemes do not consider updating the system secret key (SSK), which is stored in an unhackable Tamper Proof Device (TPD), whereas side-channel attack methods and the wide usage of the SSK increase the probability of breaking the SSK. To solve the first issue, we propose a CPPA signature scheme based on elliptic curve cryptography, which can achieve message recovery and be reduced to elliptic curve discrete logarithm assumption, so that traffic emergency messages are secured with ultra-low communication overhead. To solve the second issue, we design an SSK updating algorithm, which is constructed on Shamir's secret sharing algorithm and secure pseudo random function, so that the TPDs of unrevoked vehicles can update SSK securely. Formal security proof and analysis show that our proposed scheme satisfies the security and privacy requirements of VANETs. Performance analysis demonstrates that our proposed scheme requires less storage size and has a lower transmission delay compared with related schemes.

computer science, theory & methods,engineering, electrical & electronic

Yongming Jin,Wei Xin,Huiping Sun,Zhong Chen

DOI: https://doi.org/10.1007/978-3-642-29253-8_27

2012-01-01

Abstract:RFID tags are now pervasive in our everyday life. They raise a lot of security and privacy issues. Many authentication protocols against these problems assume that the tags can contain a secret key that is unknown to the adversary. However, physical attacks can lead to key exposure and full security breaks. On the other hand, many protocols are only described and analyzed. However, we cannot explain why they are designed like that. Compare with the previous protocols, we first propose a universal RFID authentication protocol and show the principle why the protocol is designed. It can be instantiated for various types and achieve different security properties according to the implementation of the functions. Then we introduce a general prototype of delay-based PUF for low-cost RFID systems and propose a new lightweight RFID authentication protocol based on the general prototype of PUF. The new protocol not only resists the physical attacks and secret key leakage, but also prevents the asynchronization between the reader and the tag. It also can resist the replay attack, man-in-the-middle attack etc. Finally, we show that it is efficient and practical for low-cost RFID systems.

Yafei Ji,Luning Xia,Jingqiang Lin,Qiongxiao Wang,Lingguang Lei,Li Song

DOI: https://doi.org/10.1007/978-3-030-14234-6_18

2018-01-01

Abstract:Near field communication (NFC) is an emerging and promising technology envisioned to support a large gamut of applications such as payment and ticketing applications. Unfortunately, there emerges a variety of vulnerabilities that could leave an unwitting user vulnerable to attacks along with the increase of NFC applications. One such potential devastating attack is relay attack, in which adversaries establish a transparently transferring channel between two distant NFC-enabled devices, thus break the assumption that NFC can only work within a rather near distance. In this paper, we propose Chord, an effective method for detecting relay attack. Via measuring the strength of received signal, i.e, the Received Signal Strength Indication (RSSI) during a time span, the two devices are expected to get the same “trace” of RSSI’s variation because of physical proximity. Therefore, the relay attack can be revealed if the peers get a different “trace” from each other, which implies that they do not communicate directly via NFC link. The results of our implementation show that our proposal works as intended, and exhibits an improvement of security with reasonable performance impact.

Chunhua Jin,Penghui Zhou,Zhiwei Chen,Wenyu Qin,Guanhua Chen,Hao Zhang,Jian Weng

DOI: https://doi.org/10.1016/j.vehcom.2024.100847

IF: 6.7

2024-10-27

Vehicular Communications

Abstract:Vehicular ad hoc network (VANET) has been a promising technology in smart transportation system, which can enable information exchange between vehicles and roadside units (RSUs). However, the privacy of vehicles and RSUs is a critical challenge in VANET, as they may expose sensitive information to malicious attackers or unauthorized parties. Many existing authenticated key agreement (AKA) schemes aim to protect the privacy of vehicles and RSUs, but they often neglect the physical security of the devices involved in the communication. Therefore, we propose an efficient and privacy-preserving AKA scheme in VANET, which embeds physical unclonable function (PUF) and fuzzy extraction (FE) technology. PUF is a physical device that generates random strings based on their intrinsic characteristics and external inputs, which can protect the secrets in the devices from being stolen by attackers. FE can compensate for the drawbacks of PUF affected by environmental factors. Our scheme preserves the identity privacy of legitimate RSUs and vehicles, as well as intercepts and traces the identity of malicious attackers. In addition, we eliminate the involvement of the third party (TP) in the AKA phase to better meet the high-speed driving of vehicles. Finally, we conduct formal and informal security analyses in random oracle model (ROM), which prove that our scheme can resist various attacks. We also show in the performance analysis that our scheme has the lowest computational cost, communication overhead, and total energy consumption.

telecommunications,transportation science & technology

Kyong-Tak Cho,Yuseung Kim,Kang G. Shin

DOI: https://doi.org/10.48550/arXiv.1801.07741

2018-01-23

Cryptography and Security

Abstract:We find that the conventional belief of vehicle cyber attacks and their defenses---attacks are feasible and thus defenses are required only when the vehicle's ignition is turned on---does not hold. We verify this fact by discovering and applying two new practical and important attacks: battery-drain and Denial-of-Body-control (DoB). The former can drain the vehicle battery while the latter can prevent the owner from starting or even opening/entering his car, when either or both attacks are mounted with the ignition off. We first analyze how operation (e.g., normal, sleep, listen) modes of ECUs are defined in various in-vehicle network standards and how they are implemented in the real world. From this analysis, we discover that an adversary can exploit the wakeup function of in-vehicle networks---which was originally designed for enhanced user experience/convenience (e.g., remote diagnosis, remote temperature control)---as an attack vector. Ironically, a core battery-saving feature in in-vehicle networks makes it easier for an attacker to wake up ECUs and, therefore, mount and succeed in battery-drain and/or DoB attacks. Via extensive experimental evaluations on various real vehicles, we show that by mounting the battery-drain attack, the adversary can increase the average battery consumption by at least 12.57x, drain the car battery within a few hours or days, and therefore immobilize/cripple the vehicle. We also demonstrate the proposed DoB attack on a real vehicle, showing that the attacker can cut off communications between the vehicle and the driver's key fob by indefinitely shutting down an ECU, thus making the driver unable to start and/or even enter the car.

Muhammad Asad Saleem,Xiong Li,Muhammad Faizan Ayub,Salman Shamshad,Fan Wu,Haider Abbas

DOI: https://doi.org/10.1109/TITS.2023.3266030

IF: 8.5

2023-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:The popularity of vehicles promotes the evolution of smart cities. This development makes vehicular ad-hoc network (VANET) a widely used inter-vehicular communication to obtain information about road conditions, speed, vehicle location and traffic congestion. Such a public network is vulnerable to different security threats. Overall, the security of private data in VANET is a critical task. It has been observed that various authentication protocols have been devised for VANETs. However, most of the proposed protocols are not secure and reliable because of different security threats, including denial of service, replay, forgery and impersonation attacks, etc. Furthermore, the existing protocols used extra communication overhead and computational cost, so they become infeasible for resource-constrained environments. In this article, we design a lightweight and secure privacy-preserving key agreement protocol for VANETs using the hashing technique, which provides an efficient and secure data transmission mechanism over a public communication channel. Detailed security analysis shows that the proposed protocol is secure against various attacks. To evaluate the performance of the protocol, we simulate key cryptographic operations of vehicles, a roadside unit, and a trusted party agent on Arduino, low-end and high-end devices, respectively. The experimental results show that compared with the other related protocols, the computational cost and communication overhead of our protocol are reduced on average by 8.797% and 22.06 %, respectively. Additionally, simulation results on NS3 show that our protocol consistently achieves a packet delivery ratio higher than 99.91 %. Therefore, our protocol is secure and reliable for VANET environment.

Shiqi Wang,Linsen Li,Gaosheng Chen,Tao Chen,Zeming Wang

DOI: https://doi.org/10.1109/IACS.2017.7921977

2017-01-01

Abstract:As the RFID based Internet of Things (loT) gets worldwide attention, to prepare for the rapidly increasing applications in daily life, various security protocols are proposed. But, these protocols, most of which are limited by the tag processing capacity and dangerous exposure during transmission, could only be applied in certain fields. Previously, Chen and Deng's mutual authentication and privacy protection protocol which conforming EPC Class 1 Generation 2 Standards stands out for low cost as well as little requirements of the tag processing capacity. However, currently reported by others, this system faces up with severe dangers of tracking or cloning tags via impersonating attacks. After scrutiny, we found out that these vulnerabilities lie in the insufficient protections of random numbers, and we reconstruct the request and response based on the original protocol by making message unrepeatable, key elements secret and adding small storage for comparisons. The security of our protocol, proved by Ban logic analysis, is ensured by double protections — secret key pairs and dynamic random numbers. Our comparisons show that our protocol not only is safe under traditional attacks guaranteed by the original protocol but also overcomes impersonating attacks which represents the inherent weakness of information exposure in public.

Zijie Ji,Phee Lep Yeoh,Gaojie Chen,Junqing Zhang,Yan Zhang,Zunwen He,Hao Yin,Yonghui Li

DOI: https://doi.org/10.1109/jiot.2022.3160508

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:This article proposes a wireless key generation solution for secure low-latency communications with active jamming attack prevention in wireless networked control systems (WNCSs) of Industrial Internet of Things (IIoT) applications. We first identify a new vulnerability in physical-layer key generation schemes using wireless channel and random pilots (RPs) in static environments. We derive a closed-form expression for the probability that the RP-based key is successfully attacked by a long-term eavesdropper at a fixed location. To prevent such attacks, we propose a one-time pad (OTP) encrypted transmission solution assisted by one-way self-interference (SI), which has low-latency, high-security benefits, and active attack detection capability. The performance of the proposed scheme is analytically compared with two benchmark RP-based schemes, and its advantages are verified in a ray-tracing-based simulation environment. We further investigate the impact of critical design parameters, which reveal fundamental insights for the deployment and implementation of our proposed secure communications scheme.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xiaojun Zhu,Fengyuan Xu,Chiu C. Tan,Edmund Novak,Qun Li,Guihai Chen

DOI: https://doi.org/10.1109/tmc.2016.2557784

IF: 6.075

2017-01-01

IEEE Transactions on Mobile Computing

Abstract:Securing a wireless channel between any two vehicles is a crucial component of vehicular networks security. This can be done by using a secret key to encrypt the messages. We propose a scheme to allow two cars to extract a shared secret from RSSI (Received Signal Strength Indicator) values in such a way that nearby cars cannot obtain the same key. The key is information-theoretically secure, i.e., it is secure against an adversary with unlimited computing power. Although there are existing solutions of key extraction in the indoor or low-speed environments, the unique channel conditions make them inapplicable to vehicular environments. Our scheme effectively and efficiently handles the high noise and mismatch features of the measured samples so that it can be executed in the noisy vehicular environment. We also propose an online parameter learning mechanism to adapt to different channel conditions. Extensive real-world experiments are conducted to validate our solution.