Technology researchers at Johns Hopkins University have found that radio frequency identification (RFID)technologies used for automobile locks and easy-pay gasoline systems are sorely lacking inprotection, warning that opportunists could easily exploit the weakness for ill deeds.
The researchers, led by Avi Rubin, technical director of the Johns Hopkins Information Security Institute, cited poor encryption and inadequate protection from wireless hacking, which could allow access to automobiles or accounts that rely on the small, wireless-capable chips used for RFID.
The researchers claimed that the Texas Instruments system it cracked — a low-power, radio frequency security system used worldwide by top car manufacturers and for more than 6 million key chaintags used to purchase gasoline — could allow easy access to tech-savvy thieves.
“I think this sets back vehicle security about adecade,” lead researcher Rubin told TechNewsWorld.
Ease of Use
The Johns Hopkins researchers said that the RFIDsystem they studied was designed to thwart car thievesand provide fast and convenient paymentsvia safeguarded wireless transactions. Thegroup found, however, that the TI tags — already in use around theworld — were susceptible to attack using mathematicsand low-cost processors.
“Millions of tags that are currently in use byconsumers have an encryption function that can becracked without requiring direct contact,” Rubin saidin a statement. “An attacker who cracks the secret keyin an RFID tag can then bypass security measures andfool tag readers in cars or at gas stations.”
The researchers said that they alerted TI anddemonstrated the security breach to the company, whichis among a number of different RFID system makers.
The Hopkins researchers, who teamed with RSA Securityon the study, are putting other RFID systems to the test, Rubin said.
Ari Juels, RSA Laboratories principal research scientist, told TechNewsWorld the research was intended tohead off more widespread distribution of the faulty RFID technology.
“Our aim is to uncover weaknesses like this in RFIDdevices before it becomes widespread and costly,”Juels said. “This points to the importance ofimplementing good security from the get-go.”
While the research does notindicate a general security problem with RFID, Juels said,additional research is expected to reveal morevulnerabilities.
“We are looking at other systems and there areother RFID devices in widespread use that we believemay have security weaknesses,” Juels said.
RFID systems are being rapidly deployed in manufacturing anddistribution, with companies such as Wal-Mart requiringthe technology from suppliers.
Juels said the researchers are still assessing the parameters of the RFID weakness, indicating that factorssuch as wireless range and other circumstances have yet to be investigated.
Jules said Texas Instruments, for example, was onthe right track by including encryption in its RFIDsolution, but needed to harden it further.
“In cars as in commerce, RFID is becoming alinchpin for security in day-to-day life,” he said ina statement. “It is important that RFID devices offera level of security commensurate with the value of theassets they protect.”