Keeloq_AD_2025__1_.pdf

Transcript

1. Keeloq AD 2025

2. Hack the planet!

3. None
4. None
5. None
6. None

7. It's based on keeloq tech - by Gideon Kuhn '80's

   • Rolling code / hopping code • Not cloneable • Not replayable • Super cheap! • Easy to work with!

8. Some keys are known

9. Some keys are known

10. None

11. Which is weird

12. My key is not known

13. Enter - Keeloq - The Cipher - non-linear feedback shift

    register (NLFSR)

14. Keeloq • Hardware key extraction by power analysis ◦ "On

    the Power of Power Analysis in the Real World: A Complete Break of the KeeLoq Code Hopping Scheme" ◦ "Differential Power Analysis" ◦ https://www.schneier.com/blog/archives/2007/09/keeloq_broken.html • Algebraic attack ◦ "Algebraic and Slide Attacks on KeeLoq" • Rolljam ◦ by Samy Kamkar AD 2015 • Bruteforce? • And...

15. Except....

16. The KEELOQ algorithm also features sophisticated synchronization techniques. The system

    will continue to function even if the transmitter is activated repeatedly while not in range of the receiver (as would happen if a child played with the remote control). If a button is pressed out of range more than 16 times, synchronization will be lost. However, two successive transmissions in range will restore synchronization. When no response occurs to a transmitter operation, the user's natural reaction is to press the button a second time. Synchronization will be restored when he does. Operation is totally transparent — the user may not even become aware that synchronization has been lost and restored.

17. Replay prevention

18. If you press 16k times - remote descyncs

19. Except...

20. None

21. Opsec 101: NEVER press the button twice!

22. But I like keeloq! • Keeloq, the cipher, is not

    bad (50 year old) ◦ Still not trivially broken • Keeloq, the product, is not bad ◦ The chips work. ◦ Replay prevention works in theory ◦ Including two fuses ◦ Various "learning modes" to make it harder - producent did try ◦ Allowing custom learning modes - sure, obscurity. • But actual implementations are not using it right • Fundamentally only vulnerable to Rolljam and bruteforce

23. Btw, Keeloq is used in every second car

24. Opsec 101: NEVER press the button twice!

25. Bruteforce attempts 200 000 000 000 keys/second

26. Bruteforce attempts • Keyspace 2**64 = 18 446 744 073

    709 551 616 • 1x RTX5090 = 200 000 000 000 / second (at 600W power!) • 25620 compute-hours • ~2.5 years at 1 x RTX5090 • Or $4.3k USD @ $0.17/hour ◦ Whole ecosystem of on-demand, mostly russian servers for rent ◦ Somewhat related to crypto ◦ Bypassing russia firewall ◦ Also RU has cheap power

27. My garage.... • doesn't start with 0x00 • doesn't end

    with 0x00 • is not pure ASCII • ...

28. Show me the $$$!

29. None
30. None
31. None