Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer


Roel Verdult, Radboud University Nijmegen; Flavio D. Garcia, University of Birmingham; Baris Ege, Radboud University Nijmegen


The Megamos Crypto transponder is used in one of the most widely deployed electronic vehicle immobilizers. It is used among others in most Audi, Fiat, Honda, Volkswagen and Volvo cars. Such an immobilizer is an anti-theft device which prevents the engine of the vehicle from starting when the corresponding transponder is not present. This transponder is a passive RFID tag which is embedded in the key of the vehicle.

In this paper we have reverse-engineered all proprietary security mechanisms of the transponder, including the cipher and the authentication protocol which we publish here in full detail. This article reveals several weaknesses in the design of the cipher, the authentication protocol and also in their implementation. We exploit these weaknesses in three practical attacks that recover the 96-bit transponder secret key. These three attacks only require wireless communication with the system. Our first attack exploits weaknesses in the cipher design and in the authentication protocol. We show that having access to only two eavesdropped authentication traces is enough to recover the 96-bit secret key with a computational complexity of 256 cipher ticks (equivalent to 249 encryptions). Our second attack exploits a weakness in the key update mechanism of the transponder. This attack recovers the secret key after 3×216 authentication attempts with the transponder and negligible computational complexity. We have executed this attack in practice on several vehicles. We were able to recover the key and start the engine with a transponder emulating device. Executing this attack from beginning to end takes only 30 minutes. Our third attack exploits the fact that some car manufacturers set weak cryptographic keys in their vehicles. We propose a time-memory trade-off which recovers such a weak key after a few minutes of computation on a standard laptop.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {193260,
author = {Roel Verdult and Flavio D. Garcia and Baris Ege},
title = {Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer},
booktitle = {Supplement to the Proceedings of 22nd USENIX Security Symposium (Supplement to USENIX Security 15)},
year = {2015},
isbn = {978-1-931971-232},
address = {Washington, D.C.},
pages = {703--718},
url = {https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/verdult},
publisher = {USENIX Association},
month = aug