Car and petrol pump security chips vulnerable

WASHINGTON - Tiny radio-transmitter chips that make possible high-security car keys and swipe-by petrol passes can be cracked using cheap technology, according to computer experts.

The radio-frequency ID, or RFID, system uses a relatively simple code that criminals can easily decipher, making it easier to steal a car or get a free tankful of petrol, the team at Johns Hopkins University in Baltimore, US, and RSA Laboratories said.

"We've found that the security measures built into these devices are inadequate," said Avi Rubin, technical director of the Johns Hopkins Information Security Institute.

"Millions of tags that are currently in use by consumers have an encryption function that can be cracked without requiring direct contact. An attacker who cracks the secret key in an RFID tag can then bypass security measures and fool tag readers in cars or at gas stations," Rubin said in a statement.
Made by Texas Instruments, the RFID system studied for the report uses a device that prevents a car from starting unless both the right key and the correctly coded RFID chip are used.

"The devices have been credited with significant reductions in auto theft rates, as much as 90 per cent," the researchers wrote. They cited Texas Instruments, which had been told about the problem, as saying the company had received no reports of thefts due to the vulnerability.

The fuel-purchase system uses a reader inside the gas pump that recognises a key-chain tag waved nearby and automatically charges a designated credit card.

More than 150 million of the Texas Instruments transponders are embedded in keys for newer vehicles built by at least three leading makers, and in more than 6 million key-chain gas tags, the researchers said.

The problem is that the mathematical key used to code the verification system is too short, they said.

They bought a commercial microchip costing less than US$200 ($281) and programmed it to find the key for a petrol-purchase tag. They linked 16 such chips together and cracked the key in about 15 minutes.

The researchers said a metal sheath could help prevent the problem. Texas Instruments representatives were unavailable for comment.

The RFID system they used is called a Digital Signature Transponder, and is distinct from the Electronic Product Code used by retailers and pharmacies for inventory control.

RSA Laboratories, based in Bedford, Massachusetts, is a division of RSA Security.

- REUTERS