Fuming Acid and Cryptanalysis: Handy Tools for Overcoming a Digital Locking and Access Control System

  • Daehyun Strobel
  • Benedikt Driessen
  • Timo Kasper
  • Gregor Leander
  • David Oswald
  • Falk Schellenberg
  • Christof Paar
Conference paper

DOI: 10.1007/978-3-642-40041-4_9

Part of the Lecture Notes in Computer Science book series (LNCS, volume 8042)
Cite this paper as:
Strobel D. et al. (2013) Fuming Acid and Cryptanalysis: Handy Tools for Overcoming a Digital Locking and Access Control System. In: Canetti R., Garay J.A. (eds) Advances in Cryptology – CRYPTO 2013. Lecture Notes in Computer Science, vol 8042. Springer, Berlin, Heidelberg

Abstract

We examine the widespread SimonsVoss digital locking system 3060 G2 that relies on an undisclosed, proprietary protocol to mutually authenticate transponders and locks. For assessing the security of the system, several tasks have to be performed: By decapsulating the used microcontrollers with acid and circumventing their read-out protection with UV-C light, the complete program code and data contained in door lock and transponder are extracted. As a second major step, the multi-pass challenge-response protocol and corresponding cryptographic primitives are recovered via low-level reverse-engineering. The primitives turn out to be based on DES in combination with a proprietary construction.

Our analysis pinpoints various security vulnerabilities that enable practical key-recovery attacks. We present two different approaches for unauthorizedly gaining access to installations. Firstly, an attacker having physical access to a door lock can extract a master key, allowing to mimic transponders, in altogether 30 minutes. A second, purely logical attack exploits an implementation flaw in the protocol and works solely via the wireless interface. As the only prerequisite, a valid ID of a transponder needs to be known (or guessed). After executing a few (partial) protocol runs in the vicinity of a door lock, and some seconds of computation, an adversary obtains all of the transponder’s access rights.

Keywords

Access control electronic lock reverse-engineering realworld attack hardware attack cryptanalysis wireless door openers 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© International Association for Cryptologic Research 2013

Authors and Affiliations

  • Daehyun Strobel
    • 1
  • Benedikt Driessen
    • 1
  • Timo Kasper
    • 1
  • Gregor Leander
    • 1
  • David Oswald
    • 1
  • Falk Schellenberg
    • 1
  • Christof Paar
    • 1
  1. 1.Horst Görtz Institute for IT-SecurityRuhr-Universität BochumGermany

Personalised recommendations