Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.

"Learn the tools of the trade the hard way." +Fravia

You are not logged in.


Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2012-08-08 17:58:30

Registered: 2008-05-21
Posts: 417

Gone in 360 Seconds: Hijacking with Hitag2

An electronic vehicle immobilizer is an anti-theft device which prevents the engine of the vehicle from starting unless the corresponding transponder is present. Such a transponder is a passive RFID tag which is embedded in the car key and wirelessly authenticates to the vehicle. It prevents a perpetrator from hot-wiring the vehicle or starting the car by forcing the mechanical lock. Having such an immobilizer is required by law in several countries. Hitag2, introduced in 1996, is currently the most widely used transponder in the car immobilizer industry. It is used by at least 34 car makes and fitted in more than 200 different car models. Hitag2 uses a proprietary stream cipher with 48-bit keys for authentication and confidentiality. This article reveals several weaknesses in the design of the cipher and presents three practical attacks that recover the secret key using only wireless communication. The most serious attack recovers the secret key from a car in less than six minutes using ordinary hardware. This attack allows an adversary to bypass the cryptographic authentication, leaving only the mechanical key as safeguard. This is even more sensitive on vehicles where the physical key has been replaced by a keyless entry system based on Hitag2. During our experiments we managed to recover the secret key and start the engine of many vehicles from various makes using our transponder emulating device. These experiments also revealed several implementation weaknesses in the immobilizer units.

Research paper
Demonstration movie


#2 2012-08-09 10:20:02

Registered: 2011-04-16
Posts: 5

Re: Gone in 360 Seconds: Hijacking with Hitag2

Congratulations on your paper, good achievement !
Are you gonna release the firmware you used for this or is it going to stay "behind closed doors" ?
I've started experimenting on my car key using a proxmark 3 about 2 years ago.. but with my limited programming knowledge I didn't come very far...
I would love to try your firmware !!


#3 2012-08-09 20:01:55

From: Arizona USA
Registered: 2010-07-04
Posts: 175

Re: Gone in 360 Seconds: Hijacking with Hitag2

All I can say is "WOW". You guys certainly put the rest of us to shame with your thorough and detailed analysis of the various RFID systems that you investigate. I am still trying to digest the excellent (and complex) work that you did with the "Dismantling iClass" paper. Thanks for helping to make this hobby extemely fun and interesting.


Board footer

Powered by FluxBB