Johns Hopkins Researchers Say Thieves Could Exploit RFID Systems on Cars

BALTIMORE -- Researchers have found a way to crack codes used to deter car thieves and as a convenient way to buy gasoline, Johns Hopkins University announced Saturday, but the company that designed the technology says it's still secure.

The researchers say the RFID microchips used in some newer car keys and wireless payment tags are vulnerable to a "relatively inexpensive electronic device" developed by the research team.

Criminals could wirelessly probe a car key tag or payment tag in close proximity and use the information obtained by the probe to crack the secret cryptographic key on the tag, the researchers found. Thieves could then more easily get around the auto theft prevention system in a person's car or charge their own gasoline purchases to the tag owner's account.

"We stole our own car and we bought gas stealing from our own credit card," said Avi Rubin, a professor of computer science who led the research team.

The researchers say they discovered the vulnerability while studying the Texas Instruments Registration and Identification System. It's a low-power radio-frequency security system used worldwide. The researchers said more than 150 million of these transponders are embedded in keys for newer vehicles built by at least three leading manufacturers.

In vehicles, the technology involves a passive, unpowered transponder chip embedded in the key and a reader inside the car, connected to the fuel injection system. If the reader does not recognize the transponder, the car will not start, even if the physical key inserted in the ignition is the correct one.

In the gasoline purchase system studied by the researchers, a reader inside the gas pump must recognize a small key-chain tag that is waved in front of it. Upon system approval, the transaction is then charged to the tag owner's credit card.

The transponders are also inside more than 6 million key chain tags used for wireless gasoline purchases.

Texas Instruments was given demonstrations of the team's code cracking capabilities.

"They gave us some challenges. They gave us some chips and asked us if we could crack them and we cracked all of them within two hours," Rubin said.

But the company said that while team has accomplished some basic cryptographic deciphering, the researchers' claims of bypassing the system are exaggerated.

Tony Sabetti, a business manager with Texas Instruments, said the hardware used to crack the codes is cumbersome, expensive and not practical to common thieves.

"I think the way in which it's presented as being inexpensive to do and quick and all the rest of that is an exaggeration," Sabetti said. "And because of that, we believe the technology still is extremely secure for the applications that it's used in."

But Rubin said the code breaking demonstrations illustrates that developers did not pay enough attention to security.

"I think the implications are that it sets us back about 10 years ago where we were with car security," Rubin said.

The technology has been in use for about seven years. In that time, Texas Instruments has never had a reported incident where a car has been stolen or a speed pass has been cloned, said company spokesman Bill Allen.

"They're really not looking at either all of the security features nor are they looking at security features involved in what would be considered state-of-the-art solutions," Sabetti said.

Researchers say the findings are important because RFID is becoming a lynchpin for security in day-to-day life. They say they want to help the industry increase security.

A thief could get data from someone by getting close to a victim with a device and stealing a code. The researchers only needed a quarter of a second of access.

"You could like just bump someone, you know, brush up against them like a pick pocket except you don't have to acutally touch them," Rubin said.

The Johns Hopkins-RSA team recommended a program of distributing free metallic sheaths to cover its radio frequency devices when they are not being used. This could make it more difficult for thieves to electronically steal the secret keys in the tags when they were not in use.

The Texas Instruments system is only one of a number of RFID systems on the market. The Johns Hopkins team has also been examining another system, not produced by Texas Instruments, that uses an active, battery-powered transponder chip. The team expects to prepare a paper soon on that work.

The research was funded by RSA Security.