Using a relatively simple electronic device, criminals could wirelessly probe a car key tag or payment tag and then use the information obtained from the probe to crack the cryptographic key on the tag, Ari Juels, principal research scientist at RSA, explained.

In obtaining this key, an individual could circumvent the auto-theft prevention system in a person's car or charge gasoline purchases to the speed-pass owner's account.

TI System Tested

The vulnerability was detected in the Texas Instruments Registration and Identification System, a low-power radio-frequency security system used worldwide. More than 150 million of these transponders are embedded in keys for newer vehicles built by major manufacturers, Juels told NewsFactor. The digital signal transponders are also inside some 6 million key chain tags used for wireless gasoline purchases.

Tech-savvy thieves could initiate either a passive or active attack on the encryption technology, Juels said. In an active attack, the perpetrator scans the speed pass or key with a rogue RFID reader, although he must be in close proximity (from a few inches to one or two feet) to the targeted device.

In the passive attack, an individual could eavesdrop on the wireless communications between the RFID device and the reader, which could be done at distance, Juels said.

Security Standards Needed

"We want to point out that standards are needed for RFID security, because these types of devices are now appearing in many different forms, from passports to consumer devices," he said. "The idea is to address weaknesses in the technology before the they become more pervasive and costly.

Juels noted that TI is not the only provider of vulnerable RFID technology and said the company's products are better than others that offer no cryptography. The impact on supply chain RFID systems has not yet been determined, he said.

The radio-frequency ID system studied by the research team uses a passive transponder chip embedded in the key and a reader inside the car that is connected to the fuel injection system. If the reader does not recognize the transponder, the car will not start, even if the physical key inserted in the ignition is the correct one.

Easy Access

In the gasoline-purchase system studied by the researchers, a reader inside the gas pump must recognize a small key-chain tag that is waved in front of it. Upon system approval, the transaction is then charged to the tag owner's credit card.

Researchers unraveled the mathematical process used in this verification process. They then purchased a commercial microchip costing less than US$200 and programmed it to find the secret key for a gasoline purchase tag owned by one of the researchers. By linking 16 such chips together, the group cracked the secret key in about 15 minutes. They had similar success with a chip-equipped car key.

The research team recommended a program of distributing free metallic sheaths to cover radio frequency devices when they are not being used, making it more difficult for thieves to electronically steal the secret keys in the tags.