Personal-size remote control transmitters are widely used to provide a convenient method of locking or unlocking vehicles, and/or to remotely arm or disarm vehicle theft deterrent systems. They are also used to control home/business security systems and garage door openers. If these transmissions can be spoofed or played back, then these systems can be controlled by unauthorized parties to gain unwanted access to the protected environment. Most, if not all, of these systems provide very little protection against spoofing and no protection at all against the playback of legitimate messages that have been recorded and/or modified. The term "spoofing" as used herein refers to the creation of a false message that is accepted by the system as a valid message.
Conventional vehicle keyless entry systems prevent accidental interference from other transmitters through the use of frequency separation and identification codes. Some manufacturers use only one frequency, while others may have a number of frequencies available (but usually only one is used in any given system). Identification codes are then used to further ensure that one person's transmitter will not accidentally control someone else's system. These systems typically prevent guessing the identification code (usually between 16 and 32 bits) with penalty functions that limit the rate at which transmissions can be processed. For example, limiting receptions to one per second places a limit on how long it might take a thief to find the correct identification number by trying all possible combinations. However, these systems will accept any previously transmitted message that had been recorded and played back at any time in the future. Playback attacks can therefore be implemented very inexpensively, and such attacks are known to be used by professional car thieves who target specific vehicles. Since a successful attack will usually unlock the doors and simultaneously disarm alarm and ignition disable systems, the risk of being caught is significantly reduced.
A simple method of preventing playback attack is to include a simple dynamic security code in the message that changes with each transmission. The receiver calculates the next code in the sequence, and accepts a message as valid only if the received code matches the expected code. This method is insecure for three reasons. First, a thief can predict the next code sequence from knowledge of previous sequences, in much the same way as the receiver can predict which sequence to expect based on the last transmission. Second, once the code sequence has been determined, it can be used to issue false commands to all similar receivers. Third, the algorithm used to generate the code sequence must usually be kept secret, because a thief can much more easily predict the code sequences when the algorithm is known.
Message authentication using cryptographic techniques is a better method for preventing spoofing and playback attacks. However, applying conventional message authentication to personal transmitter-based systems has not been used in the past since the available authentication algorithms have been too complex for implementation in very low cost systems. In addition, significantly larger message sizes were necessary to accommodate cryptographic synchronization, and the resulting increase in transmission time significantly reduced the expected life of the miniature batteries typically used.