RFID crack raises spectre of weak encryption

A recent hack of RFID technology from Texas Instruments raises questions about the security of some consumer services.

With a little bit of technical acumen and a few hundred dollars, enterprising thieves can walk away with some late model cars and gas them up for free to boot, according to research published by computer security experts at The Johns Hopkins University (JHU) in Baltimore and RSA Security's RSA Laboratories in Bedford, Massachusetts.

In January, the researchers published the results of a technical analysis of a kind of secure RFID (radio frequency identification) technology called Digital Signature Transponder (DST) from Texas Instruments (TI), which is widely used to secure newer-generation automobiles and electronic payment systems like Exxon Mobil's Speedpass. The work revealed serious weaknesses in the cryptographic security used to protect data sent back and forth, and shines a light on the problem of security systems that rely on aging or inadequate cryptography, according to experts.

The team of researchers included staff from JHU's Information Security Institute, including Avi Rubin, the computer security expert who gained fame for his analysis of flawed electronic voting technology from Diebold Inc.

Rubin and a team of three graduate students, along with cryptography experts from RSA, used reverse engineering techniques and custom-designed tools to crack the cryptographic keys used to secure the systems and simulate both the RFID DST tags and readers. The hack allowed researchers to disable a vehicle immobilizer in a 2005 Ford automobile using a specially-equipped laptop computer, and purchase gas at a number of Exxon Mobil locations with a home-made Speedpass device, according to a copy of their findings, which was posted online. (See: http://rfidanalysis.org/.)

The TI technology is vulnerable to attack because it uses a decade-old, 40-bit cryptographic key to encrypt communications between the RFID DST tags and readers, the researchers found. TI also used an unknown and proprietary encryption algorithm on its DST devices, but Rubin's team reverse-engineered the secret algorithm by observing the way DST tags responded to specially-crafted challenges. Once they guessed the algorithm, researchers created a software program that could be used in so-called brute-force attacks on DST devices to recover their secret cryptographic keys, Rubin said.

The researchers worked for two months to break the TI algorithm, but once it was cracked, they made short work of the rest of TI's product, designing tools that guessed the encryption keys on five TI gas Speedpasses in two hours, Rubin said.

Other commercial security systems also use the DST technology, including cardkey access systems for buildings and livestock tracking products, he said.

But Tony Sabetti, global business manager for TI's RFID Systems, said that Rubin's team only broke one element of the system's security, and that successful thieves would need to defeat more security features to carry out a crime. For example, even crooks who could disable the vehicle immobilization feature would still have to find a way to start the car. And, for the Speedpass payment system, TI has other security features in place to stop fraudulent purchases, which the company cannot discuss, he said.

Sabetti said that TI does sell updated versions of the RFID technology that uses more advanced, 128-bit encryption algorithms. TI will also begin ramping up production of the 128-bit RFID chips, which have been available since 2003, the company said in a statement.

But Sabetti questioned whether the older technology is even seriously at risk.

"(JHU's) methods are wildly beyond the reach of most researchers," he said. "JHU is not painting an accurate picture of the risk for consumers. We recommend that customers apply the level of security they need for the application, and we're vigilant in making sure the systems are secure. I don't see any reason to change this approach," Sabetti said.

TI also said it would be difficult for attackers to read RFID tags so that they could then clone them, or intercept communications, noting that the equipment Rubin's team designed to do just that was "complex, expensive and cumbersome."

"When you're talking about snooping (RFID) transactions out of someone's pocket, one would have to ask 'What are the odds of that?'" Sabetti said.

But Rubin said that motivated thieves, such as organized crime groups, could have the desire and resources to carry out similar attacks, and noting that his group did simulate (and video tape) a successful attack in which the signal from an RFID Speedpass was captured. Assuming that the technology is too hard to crack is a mistake, he said.

"People build systems and underestimate what an attacker could do to take advantage of (them)," he said.

Unlike voting machine maker Diebold, Rubin said that TI paid attention to security when it designed the DST system, but that the product needs to be updated with stronger encryption, or an alternative system for authenticating users. The JHU hack also calls attention to a more widespread lack of security in consumer software and other products, he said.

"There are a lot of consumer products out there that don't have adequate security," he said.

Bruce Schneier, of CounterPane Internet Security Inc., agreed, saying that it's common for consumer systems to have inadequate security.

"The number of lousy encryption systems out there is amazing...even to me," he wrote in an e-mail.

Still, companies must weigh the cost of implementing stronger security against the cost of fraud, Schneier said.

"If a company is losing US$1 million a year to fraud, and fixing the security costs US$2 million a year, then it would be foolish for it to fix the system," he said.

However, the question of adequate versus inadequate security on systems like Speedpass and auto antitheft devices becomes more complicated when consumers, not companies, pay the cost of fraud.

"My worry is when a company implements poor security, and then the users suffer losses because of it.," Schneier said. "If TI's customers are losing money because of bad TI security, then TI has both a moral and legal obligation to either inform its customers or fix the system."