The encryption in RFID microchips in some newer car keys and wireless payment tags may not keep thieves at bay, according to researchers from Johns Hopkins University and RSA Laboratories.
Using a relatively inexpensive electronic device, criminals could wirelessly probe a car key tag or payment tag, and then use the information obtained from the probe to crack the secret cryptographic key on the tag, the scientists said.
By obtaining this key, lawbreakers could more easily circumvent the auto theft prevention system in that person’s car or potentially charge their own petrol purchases to the tag owner’s account.
The researchers, led by said Avi Rubin, technical director of the Johns Hopkins Information Security Institute, uncovered the vulnerability while studying the Texas Instruments Registration and Identification System, a low-power radio-frequency security system used worldwide.
They said that more than 150 million of these transponders are embedded in keys for newer vehicles built by at least three leading manufacturers. The transponders are also inside more than 6 million key chain tags used for wireless petrol purchases.
The radio-frequency ID system studied by the research team was designed to thwart car thieves, provide fast and convenient contactless payments and safeguard wireless transactions. In vehicles, it uses a passive, unpowered transponder chip embedded in the key and a reader inside the car, connected to the fuel injection system.
If the reader does not recognize the transponder, the car will not start, even if the physical key inserted in the ignition is the correct one. This innovation has greatly reduced auto theft. In the petrol purchase system studied by the researchers, a reader inside the petrol pump must recognize a small key-chain tag that is waved in front of it. Upon system approval, the transaction is then charged to the tag owner’s credit card.
Security verification takes place through a procedure called a challenge/response protocol. When the key or tag is nearby, the reader transmits a random string of ones and zeroes to it. The transponder in the key or tag then processes these numbers in a specific way and sends a numeric message back to the reader for authentication.
The researchers from Johns Hopkins and RSA Laboratories were able to unravel the mathematical process used in this verification. They then purchased a commercial microchip costing less than $200 and programmed it to find the secret key for a petrol purchase tag owned by one of the researchers. By linking 16 such chips together, the group cracked the secret key in about 15 minutes.
(In this system, an owner’s credit card information is not carried on the chip and is not revealed by breaking the pass’s security. In addition, this system possesses other security safeguards designed to protect customers from repeated fraudulent purchases made with a contactless device. The company that markets this system has said it has no knowledge that any fraudulent purchases have ever been made with a cloned version of its device.)
The researchers had similar success with a chip-equipped car key. With the secret key in hand, the team was able to simulate the RFID tag and disarm the car’s anti-theft system without the built-in tag present. (Keyless remote control systems to lock and unlock car doors do not use RFID chips).
The researchers alerted Texas Instruments, manufacturer of the radio frequency systems, about the security vulnerabilities they had detected and demonstrated them to Texas Instruments in the lab.
The Johns Hopkins-RSA team recommended a program of distributing free metallic sheaths to cover its radio frequency devices when they are not being used. This could make it more difficult for thieves to electronically steal the secret keys in the tags when they were not in use.
The Texas Instruments system is only one of a number of RFID systems on the market. The Johns Hopkins-RSA team has also been examining another system, not produced by Texas Instruments, that uses an active, battery-powered transponder chip. The team expects to prepare a paper soon on that work.
The team has written a research paper that has been posted online here.