Publications

Csikor, L.; Lim, H. W.; Wong, J. W.; Ramesh, S.; Parameswarath, R. P.; Chan, M. C.

RollBack: A New Time-Agnostic Replay Attack Against the Automotive Remote Keyless Entry Systems Journal Article

In: ACM Transactions on Cyber-Physical Systems, vol. 8, iss. 1, no. 5, pp. 1-25, 2024, ISSN: 2378-962X, (Open Access).

Abstract | Links | BibTeX | Tags: attack, black hat, keyfob, replay, security

@article{10.1145/3627827,

title = {RollBack: A New Time-Agnostic Replay Attack Against the Automotive Remote Keyless Entry Systems},

author = {L. Csikor and H. W. Lim and J. W. Wong and S. Ramesh and R. P. Parameswarath and M. C. Chan},

url = {https://doi.org/10.1145/3627827

https://cslev.vip/wp-content/uploads/2024/03/rollback_acm_tcps_journal.pdf},

doi = {10.1145/3627827},

issn = {2378-962X},

year  = {2024},

date = {2024-01-14},

urldate = {2024-01-14},

journal = {ACM Transactions on Cyber-Physical Systems},

volume = {8},

number = {5},

issue = {1},

pages = {1-25},

publisher = {Association for Computing Machinery},

address = {New York, NY, USA},

abstract = {Automotive Keyless Entry (RKE) systems provide car owners with a degree of convenience, allowing them to lock and unlock their car without using a mechanical key. Today’s RKE systems implement disposable rolling codes, making every key fob button press unique, effectively preventing simple replay attacks. However, a prior attack called RollJam was proven to break all rolling code–based systems in general. By a careful sequence of signal jamming, capturing, and replaying, an attacker can become aware of the subsequent valid unlock signal that has not been used yet. RollJam, however, requires continuous deployment indefinitely until it is exploited. Otherwise, the captured signals become invalid if the key fob is used again without RollJam in place.We introduce RollBack, a new replay-and-resynchronize attack against most of today’s RKE systems. In particular, we show that even though the one-time code becomes invalid in rolling code systems, replaying a few previously captured signals consecutively can trigger a rollback-like mechanism in the RKE system. Put differently, the rolling codes become resynchronized back to a previous code used in the past from where all subsequent yet already used signals work again. Moreover, the victim can still use the key fob without noticing any difference before and after the attack.Unlike RollJam, RollBack does not necessitate jamming at all. In fact, it requires signal capturing only once and can be exploited at any time in the future as many times as desired. This time-agnostic property is particularly attractive to attackers, especially in car-sharing/renting scenarios in which accessing the key fob is straightforward. However, while RollJam defeats virtually any rolling code–based system, vehicles might have additional anti-theft measures against malfunctioning key fobs, hence against RollBack. Our ongoing analysis (with crowd-sourced data) against different vehicle makes and models has revealed that ∼ 50% of the examined vehicles in the Asian region are vulnerable to RollBack, whereas the impact tends to be smaller in other regions, such as Europe and North America.},

note = {Open Access},

keywords = {attack, black hat, keyfob, replay, security},

pubstate = {published},

tppubtype = {article}

}

Close

Automotive Keyless Entry (RKE) systems provide car owners with a degree of convenience, allowing them to lock and unlock their car without using a mechanical key. Today’s RKE systems implement disposable rolling codes, making every key fob button press unique, effectively preventing simple replay attacks. However, a prior attack called RollJam was proven to break all rolling code–based systems in general. By a careful sequence of signal jamming, capturing, and replaying, an attacker can become aware of the subsequent valid unlock signal that has not been used yet. RollJam, however, requires continuous deployment indefinitely until it is exploited. Otherwise, the captured signals become invalid if the key fob is used again without RollJam in place.We introduce RollBack, a new replay-and-resynchronize attack against most of today’s RKE systems. In particular, we show that even though the one-time code becomes invalid in rolling code systems, replaying a few previously captured signals consecutively can trigger a rollback-like mechanism in the RKE system. Put differently, the rolling codes become resynchronized back to a previous code used in the past from where all subsequent yet already used signals work again. Moreover, the victim can still use the key fob without noticing any difference before and after the attack.Unlike RollJam, RollBack does not necessitate jamming at all. In fact, it requires signal capturing only once and can be exploited at any time in the future as many times as desired. This time-agnostic property is particularly attractive to attackers, especially in car-sharing/renting scenarios in which accessing the key fob is straightforward. However, while RollJam defeats virtually any rolling code–based system, vehicles might have additional anti-theft measures against malfunctioning key fobs, hence against RollBack. Our ongoing analysis (with crowd-sourced data) against different vehicle makes and models has revealed that ∼ 50% of the examined vehicles in the Asian region are vulnerable to RollBack, whereas the impact tends to be smaller in other regions, such as Europe and North America.

Close

Csikor, L.; W.Lim, H.; Ramesh, S.; Wong, J. W.; Parameswarath, R. P.; Choon, C. M.

RollBack - A New Time-Agnostic Replay Attack Against the Automotive Remote Keyless Entry Systems Proceedings Article

In: BlackHat USA Briefings, 2022.

Links | BibTeX | Tags: attack, black hat, keyfob, replay, rollback

Khooi, X. Z.; Csikor, L.; Kang, M. S.; Divakaran, D. M.

In-Network Defense Against AR-DDoS Attacks Proceedings Article

In: Proceedings of the ACM SIGCOMM 2020 Conference on Posters and Demos, ACM, New York, USA, 2020.

Links | BibTeX | Tags: attack, denial-of-service, in-network, p4

Csikor, L.; Ujawane, V.; Divakaran, D. M.

On the Feasibility and Enhancement of the Tuple Space Explosion Attack against Open vSwitch Journal Article

In: CoRR, vol. abs/2011.09107, 2020.

Links | BibTeX | Tags: attack, denial-of-service, openflow, ovs, sdn

Csikor, L.; Divakaran, D. M.; Kang, M. S.; Kőrösi, A.; Sonkoly, B.; Haja, D.; Pezaros, D. P.; Schmid, S.; Rétvári, G.

Tuple Space Explosion: A Denial-of-Service Attack against a Software Packet Classifier Proceedings Article

In: Proc. International Conference on Emerging Networking Experiments And Technologies, pp. 292–304, Association for Computing Machinery, Orlando, Florida, 2019, ISBN: 9781450369985.

Links | BibTeX | Tags: attack, denial-of-service, detection, mitigation, openflow, ovs, sdn, security