RFID crack raises spectre of weak encryption

With a little bit of technical acumen and a few hundred dollars, enterprising thieves can walk away with some late model cars and gas them up for free to boot, according to research published by computer security experts at The Johns Hopkins University (JHU) in Baltimore and RSA Security's RSA Laboratories in Bedford, Massachusetts.

In January, the researchers published the results of a technical analysis of a kind of secure RFID (radio frequency identification) technology called Digital Signature Transponder (DST) from Texas Instruments (TI), which is widely used to secure newer-generation automobiles and electronic payment systems like Exxon Mobil's Speedpass. The work revealed serious weaknesses in the cryptographic security used to protect data sent back and forth, and shines a light on the problem of security systems that rely on aging or inadequate cryptography, according to experts.

The team of researchers included staff from JHU's Information Security Institute, including Avi Rubin, the computer security expert who gained fame for his analysis of flawed electronic voting technology from Diebold.

Rubin and a team of three graduate students, along with cryptography experts from RSA, used reverse engineering techniques and custom-designed tools to crack the cryptographic keys used to secure the systems and simulate both the RFID DST tags and readers. The hack allowed researchers to disable a vehicle immobilizer in a 2005 Ford automobile using a specially-equipped laptop computer, and purchase gas at a number of Exxon Mobil locations with a home-made Speedpass device, according to a copy of their findings, which was posted online. (See: http://rfidanalysis.org/.)

The TI technology is vulnerable to attack because it uses a decade-old, 40-bit cryptographic key to encrypt communications between the RFID DST tags and readers, the researchers found. TI also used an unknown and proprietary encryption algorithm on its DST devices, but Rubin's team reverse-engineered the secret algorithm by observing the way DST tags responded to specially-crafted challenges. Once they guessed the algorithm, researchers created a software program that could be used in so-called brute-force attacks on DST devices to recover their secret cryptographic keys, Rubin said.

The researchers worked for two months to break the TI algorithm, but once it was cracked, they made short work of the rest of TI's product, designing tools that guessed the encryption keys on five TI gas Speedpasses in two hours, Rubin said.

Other commercial security systems also use the DST technology, including cardkey access systems for buildings and livestock tracking products, he said.

But Tony Sabetti, global business manager for TI's RFID Systems, said that Rubin's team only broke one element of the system's security, and that successful thieves would need to defeat more security features to carry out a crime. For example, even crooks who could disable the vehicle immobilization feature would still have to find a way to start the car. And, for the Speedpass payment system, TI has other security features in place to stop fraudulent purchases, which the company cannot discuss, he said.

Sabetti said that TI does sell updated versions of the RFID technology that uses more advanced, 128-bit encryption algorithms. TI will also begin ramping up production of the 128-bit RFID chips, which have been available since 2003, the company said in a statement.

But Sabetti questioned whether the older technology is even seriously at risk.