As told in a previous post, I like to watch the RDS-TMC traffic messages every now and then, just for fun. Even though I've never had a car. Actually I haven't done it for years now, but thought I'd share with you the joy of solving the enigma.[disclaimer 1]
RDS-TMC is used in car navigators to inform the driver about traffic jams, roadworks and urgent stuff like that. It's being broadcast on a subcarrier of a public radio FM transmission. It's encrypted in many countries, including mine, so that it could be monetized by selling the encryption keys.
A draft of the encryption standard, namely ISO/DIS 14819-6, is freely available online. Here's an excerpt[disclaimer 2] that reads blatantly like a challenge:
"After calling for candidate proposals [for a method of encryption], the submission from Deutsche Telekom was judged by an expert panel to have best met the pre-determined criteria the task force had established. The method encrypts the sixteen bits that form the Location element in each RDS-TMC message to render the message virtually useless without decryption. The encryption is only 'light' but was adjudged to be adequate to deter other than the most determined 'hacker'. More secure systems were rejected because of the RDS capacity overhead that was required."
TMC messages consist mostly of numeric references to a static database of preset sentences and locations; no actual text is being transmitted. The database is not a secret and is freely available. The location information is encrypted with a key that changes daily. Every night, a random key is picked from 31 pregenerated alternatives. The key is never transferred over the air, only its numeric ID (1–31). The keys are preprogrammed into all licensed TMC receivers, and they can decrypt the locations knowing the key ID.
The size of the key space is 216 and the encryption algorithm consists of three permutation operations:
The algorithm is simple enough to be run using pen-and-paper hardware, and that's just what I did while creating the above crypto diagram:
The tricky part is that I don't know the keys. But there's a catch. To save bandwidth, only regional messages are transmitted. This limits the space of possible locations, giving us a lot of information about the encrypted data. Assuming all messages are from this limited region, we can limit the number of keys to a very small number, in the dozens.
The next day, we have an all new encryption key again. But there's another catch. Many messages persist over several days, if not weeks. These would be messages about long-lasting roadworks and such. We just need to wait for messages that we heard yesterday that only have their location code changed, and we can continue limiting the keyspace by collecting more data.
Once we've limited the keyspace to a single key, we can decrypt all of today's messages. When the key changes again, it is trivial to find today's key by knowing yesterday's key and comparing the locations of persistent messages; this is known as a known-plaintext attack or KPA.
Here's some encrypted data straight from the radio.
$ ./redsea.pl | grep TMC
══╡ TMC msg 00 1828 4400
══╡ TMC sysmsg 6040
══╡ TMC msg 00 1828 4400
══╡ TMC msg 07 8264 0294
══╡ TMC msg 07 8264 0294
══╡ TMC msg 07 8264 0294
══╡ TMC sysmsg 0021
══╡ TMC msg 07 5964 72ca
█
A little Perl script then decodes everything and even plots the affected segment on a little map. The screenshot is from a few years back.
Now I just need a car. Well, actually I prefer motorcycles. But I guess it would work, too.
Tools used: Ordinary FM radio, sound card, computer. All data is from public sources. RDS was decoded from intermodulation distortion in the radio's Line Out audio caused by the stereo demuxer circuitry.
Update 2014-07-27: Some news seem to highlight that I was the first one to break this joke of a cipher. This could be true; I don't really care. In any case, the often-referred-to 2007 work by Barisani and Bianco (PDF 13MB) was done on unencrypted RDS-TMC and no cryptanalysis was involved; "encryption is supported for commercial services but irrelevant to our goals". I encourage you to read it, it addressed some of the real-world security implications of injecting crafted TMC messages into cars.
Disclaimer 1: I will take this post down on the first appearance of any complaint from any party, of course. My intent is not malicious and I'm not even publishing any keys or code.
Disclaimer 2: This use of the above excerpt of the ISO standard is not an infringement of copyright as it is being used here under the doctrine of "Fair Use" of the United States Copyright Law (17 U.S.C. § 107), seeing as this blog is hosted on US soil.
Can you put this up on github?
ReplyDeleteNo, see Disclaimer 1 :)
DeletePut anonymously? Information wants to be free
DeleteThere's no way I can anonymously publish the code any more, ever. Also, there is no "proof of concept" that's all in code and ready to be executed. The process involved, for example, handwritten notes about persistent messages and recovered keys. But it should be very simple to implement based on this post. Anyone can do it, I believe.
DeleteRespect your efforts, hope we can get working online RDS decriptor with usage of simple LCD on Arduino or raspberr
DeleteI've done it already.
DeleteTo find my local RDS-TMC frequency, what am I looking for?
ReplyDeleteAs far as I know, Australia doesn't use RDS for anything other than an encrypted TMC broadcast provided by http://www.intelematics.com.au/products-services/motoring-content/traffic-services/suna-rds-tmc
You can scan through the stations, decode the RDS and find a frequency that has TMC in its application list.
DeleteNice one! You might enjoy reading Bamford's Puzzle Palace if you haven't already.
ReplyDeleteThank you! It looks very fascinating indeed!
DeleteAmazon'd
Deleteso, are you coming to defcon somday soon?
ReplyDeleteI was invited to 44CON to talk about something else, and I'm still kind of pondering whether I can write a talk that long. But who knows.
DeleteI know they do workshops at 44CON. What if you offered to do a shorter talk and a workshop?
DeleteThat kind of sounds doable.
DeleteI love it :D
ReplyDeleteThe thrill of solving these kinds of things is one of the main parts why I love my field of work.
Thanks for writing it down so we can take part.
Do share your field of work! For me, it's just a hobby.
DeleteThis reminds me of the type of code breaking they did at Bletchley Park during the Second World War. At Bletchley they had to guess the messages but particularly loved the weather forecast because once they cracked that they had the days cipher ( there where lots of differences but you get the general similarity between weather and roadworks ). I find it particularly amusing you used PERL which is perfect for this and whose origins are also in security field. I only ever saw this system working in Germany. Great work deciphering and documenting it.
ReplyDeleteRegards
John Jones
Huge ! Now it is possible to fuzz RDS data and find bugs within GPS or car radios !
ReplyDeleteCould be nice/evil to get remote code execution on cars as I assume GPS and other equipments using RDS are connected to other sensitives parts of the car, and the security isolation must be pretty low...
"I assume GPS and other equipments using RDS are connected to other sensitives parts of the car, and the security isolation must be pretty low..."
DeleteYou'd be assuming wrong, in general. I won't say it doesn't happen at all, but I am very knowledgeable about the BMW systems from the late '90s on up (IBus and beyond, seen in parts on the E36 but fully utilized in E38/E39/E46) and can say that there the passenger-facing systems are on one data bus while the important systems like the engine, transmission, gauge cluster, etc. are on others. If you somehow got code execution on the radio in my E46 the most you'd have access to is the door locks. Sure, not the best, but if the radio is on the key's already in it, so if I'm not also in it the car is unlocked and running, so it's a moot point.
From what I've seen when messing with other modern vehicles (VW, Kia, Ford) it's pretty similar across the board. Some parts are on both buses and will proxy specific requests, but they're things like queries for information or selection of performance / economy modes.
Also, these are a few small, fixed length messages. Not impossible to screw up, but less likely to be exploitable than a variable length freeform text field, such as the RDS RT field, which is entirely unencrypted and publicly documented. That is to say if you want to fuzz RDS, this doesn't really add much of use, the interesting bits were already out there.
A more "interesting" use of figuring out the keys, aside from accessing a subscription service for free of course, is for pirate broadcasters to add their own traffic events to the system. Obviously that's a fast way to get your local radio authorities interested in your operations though, so experimenting with such in to anything but a dummy load is probably not a good idea.
That makes about as much sense as people saying they can hijack your locks to make the car accelerate since the locks lock automatically when you actually accelerate the car. Cause -> Effect does not always go backward.
DeleteThat would be close to what is described in Comprehensive Experimental Analyses of Automotive Attack Surfaces from http://www.autosec.org/publications.html, which is an interesting read.
DeleteThe level of protection between critical and non-critical buses apparently was not high enough for their target vehicle(s), as they write that "Consequently, the result is that compromising any ECU with access to some CAN bus on our vehicle (e.g., the media player) is sufficient to compromise the entire vehicle."
Did you use some kind of third party lib to get Perl to plot on a map or is it just a image with scaled coordinates?
ReplyDeleteJust an image that I know the corner coordinates of, and that I can then draw on using PerlMagick and crop to fit.
DeleteCiao Feds? Hah! Intentional, I guess? :)
ReplyDeleteGreat work!
You're the first one to notice :D
DeleteWhat do the yellow boxes with >>> and << in the diagram mean?
ReplyDeleteI'm trying to understand what you did on the piece of paper, but can't figure out where the two middle lines used for "xoring" came from.
Bitwise rotate right, bitwise shift left
DeleteKiitos! :)
DeleteSad to request, but can you take thisoffline. It is kind of our service you hacked :)
ReplyDeleteTuomo Eloranta,
Technology Director
Mediamobile Nordic
"Kind of"? Sure, if that's what you deem appropriate.
DeletePlease send me a cryptographically signed email (windyoona@gmail.com) with the complaint, i.e. some explanation as to how I'm infringing your IP rights, and which parts of the post are infringing and should be removed. I will replace them with [deleted as requested by Mediamobile Nordic].
Also, please provide me with a means of verifying the signature and sender, preferably a public key at a URL under your company domain.
Please ignore Eloranta's request. His company sells this service. He does not provide sufficient justification for censorship.
ReplyDeleteWell, he might have a legal angle anyways, so heeding a complaint is an understandably prudent thing to do. But indeed it is also wise to ask for specifics, and to ascertain that he's actually representing the company (after all, one wouldn't want to aid some pretender in smearing the company name).
DeleteI'm guessing this post is getting a fair number of persistent copies made at this time.
Hi,
ReplyDeleteThe size of the keyspace is s^16, but there are far fewer actual keys. Docs say:
"To minimize the overhead potentially required when encrypting data, the parameters used to encrypt the location codes are stored in eight Service Key tables in the terminal equipment. Each of the eight Service Key tables has 32 “lines”. Each line gives the values of three parameters used to encrypt the 16 bits of the location code."
256.
I actually think you have your copyright footnotes shifted the wrong way round.
ReplyDelete1. It is very hard to block you from publishing what you've just published. In no way are you explaining any of the secret parts of the encryption. Instead all you did was reference some publicly available data on how the algorithm works and then explain how a crypto analytic attack on the code would work. What you do not do is explain this in great detail. You do not give a list of the location codes that are in use, nor do you give the key. With the standard in hand , that contains a description of the algorithm, any trained analyst should be able to write this blogpost. As a result the company can't really do anything. The crypto analytic and digital signal analysis literature contains many such examples.
You do say however that you can cite Fair Use of the ISO standard, because the content is hosted on a server in the USA. That is incorrect. Most of the jurisprudence focuses on where you were at the time of writing and the intended audience. The location of the server is only relevant in case the courts want to seize something. And BTW you may know of the converted paper mill that Google has in Harmina, Finaland. So you should evaluate whether there is a citation right under Finnish law and jurisprudence. You should also check whether somehow someone can make a case against you based on your relations with another country.
Now your mileage may vary, so always verify with a lawyer that understands Finnish copyright law and rules and regulations on reverse engineering and crypto.
You are correct in that I'm not legally bound to remove anything. But I kind of promised to be nice. However, there are limits as to what I consider a "complaint" and a "party".
DeleteUse of the citation also complies with the Citation Right of the Finnish Copyright Law (22§). I made Disclaimer 2 because the standard explicitly forbids any citation unless allowed by law.
I have a judgement under Finnish law against me for hosting a service where a friend posted some homebrew Haskell DeCSS code along with commentary (among others, but that was the one they decided to pursue).
DeleteThat does not fully apply to this case since as you said, Oona didn't publish any code. However, this is a form of DRM, and the law says that even offering service that _helps_ circumvent it is illegal. Service is vague, but a blog dedicated to such evils as "hacking"? I wouldn't put it past the courts to judge it to be one, when my mailing list qualified as well.
One could probably argue that the stuff being accessed is not actually copyrightable, but that's always a can of worms, especially with our European database monopoly rights or whatnot.
So the legal situation is actually way murkier than it would be in a sane world, and unscrupulous companies are within their legal rights to exploit that (hi, Tuomo).
(And yeah, that comment is "kind of" a complaint but not really... The "kind of" is especially vague. Is it or is it not, do they have standing for anything?)
For future reference:
Delete-log into tor
-upload source code to www.pudn.com, it is a source sharing site. You can find stuff there like factory workers uploading whole design files they got from US firm to manufacture (including source code, gerbers, case design). Basically its repository for Shanzhai manufacturers :)
-wait few hours and make a blog post about this kewl code you just found
-wait two weeks for first clones to appear on the market
Fukken saved
ReplyDeleteThe pink heart-shaped paper is a nice touch.
ReplyDeleteYeah, they're Post-It hearts :)
DeleteKudos to you. Interesting blog post. Shame I don't have even the first clue what "RDS was decoded from intermodulation distortion in the radio's Line Out audio caused by the stereo demuxer circuitry." means but that just shows the shortcomings in my own education. :-) Thank you.
ReplyDeleteThat piece of text is a hyperlink - follow the hyperlink :)
DeleteI did - and interesting reading it was too! I do get the general principles (and this is what makes the posts interesting), but it's the technical nitty-gritty I'm struggling with! Like I said though, just my ignorance, not your posts.
DeleteWell done indeed! Congrats on your passion for this hobby, and your principles staying pure. This level of devotion and play-nice isn't something I see all that often. Especially in a potentially ego-teasing field (I agree the standard reads like a challenge.) I'm in so much respect for the way you are handling your discovery here.
ReplyDeleteAnd that your passion will most likely lead you away from this and on to the next cool thing to stumble into your scope's screen.
Bleassings!
So, wait a second. The key space isn't even 2^16, is it, since the top bits of the lower 8 bits of the key are actually shifted away, depending on what the second-most-significant hex digit says, right? In fact all keys x800 .. xFFF are all identical, no? What a ridiculous scheme. There are 16*256 + 16*128 + ... 16*1 -> 16*511 + 8*16 = 8304 unique, canonical keys, by my back of the envelope calculation.
ReplyDeleteErr, just 8192 unique keys. Not sure where the 8*16 came from.
DeleteYes, that would be 2^13. I'm not sure whether this should actually be called encryption at all, or perhaps scrambling or something like that. But that's the term they like to use.
Delete$ for s in `seq 0 15`;do for v in `seq 0 255`;do echo $((($v<<$s)&0xffff));done;done|sort -u|wc -l
Delete1280
That makes 16*1280=20480 unique keys.
You mentioned some books on cryptanalysis, would you mind posting a few you'd recommend?
ReplyDeleteThis is really a great site!
Thank you.
DeleteAs a teenager, my introduction to cryptanalysis was a declassified U.S. military field manual, called FM 34-40-2, that I printed out and bound as a little book. It is most probably available online as scanned images.
Brilliant!! My question is how to feed the decrypted TMC messages onto the car CAN bus to display on the car navigation system? Any ideas?
ReplyDeleteAs I said, I don't have a car or driver's license so I can't really try that kind of stuff out.
DeleteRelated research from 2007 http://www.defcon.org/images/defcon-15/dc15-presentations/dc-15-barisani_and_bianco.pdf
DeleteYeah, I met Barisani at t2infosec :)
DeleteNice work no doubt! Since I've written TMC broadcasting systems it's nice to see that some people are enjoying them. :)
ReplyDeleteHI Oona, Nice JOb,
ReplyDeletemaximum respect :)
I once owned a Michelin TMC gps: it shows a "hitparade" of TMC messages, "hitparade" in "distance" meaning, from close to further away. I bought a RDS TMC antenne for my Tomtom, but even when I plan a route over Brussels it doesn't give me no messages... Maybe I'm not close enough (120km) ...
ReplyDeleteYour blog is fascinating. I like how in this post, your method of attack is similar to the attack-from-guessed-similar-messages, famously employed to crack the Enigma cipher. Now I'm wondering if your first paragraph contains a subtle reference . . .
ReplyDeleteKeep it up!
I like your blog and for a while I'm also tinkering around with decoding RDS/TMC/TMCpro. I pretty much like how simple they made the "encryption" and that they actually did it on purpose. To cite ISO 14819-6: "The encryption is only ‘light’ but was adjudged to be adequate to deter other than the most determined ‘hacker’."
ReplyDeletePlease note that a similar brute-force attack like yours has already been described here: http://www.mikrocontroller.net/topic/229218. Unfortunately, it's in German. Watch out for the first post by user "Simon Budig". He claims that he's done successful brute-force attacks back in 2011 or before.
What’s interesting is the second-last paragraph. Translation:
Delete“Back then, I ran a little attack against it and found out one table entry (which was used at the time by my local TMCpro station). This didn’t change at all for a very long time, thus I’m not sure if it ever does.”
He seems to be referring to the key index (or ENCID)—apparently, some stations don’t bother changing it or do so very infrequently. This is consistent with my own observations of two stations carrying the same encrypted service. The last two blocks of the encryption administration group were the same, even on two different stations and more than two months apart.
do you think you could share your little perl script that plots location and TMC messages on the map (to use with public TMC providers) you could also add an option for user to input all 31 keys if he/she has them
ReplyDeleteThanks for Anwsering and Best Regards
Can you please consider making this site usable on phones?
ReplyDeleteThanks, I'll see what I can do!
Delete