Not-so-secure keys

Von Bob Francis

A couple of weeks ago, I used an analogy about my grandfather"s wrecking yard to describe the search for better security, making the point that automobiles used to start with a mere foot pedal before the development of effective theft protection in the form of a car key.

Through a confluence of cosmic events, these two topics -- cars and security -- have once again come together.

A recent study conducted by Johns Hopkins University and RSA Laboratories found that a widely used RFID chip created by Texas Instruments Inc. (TI) and installed in a variety of car keys may be cheap and easy to hack. (You can read the report at

The car key chips are included on recent models of cars made by Nissan, Toyota, and Ford. The RFID chip is also used in the ExxonMobil Speedpass, a key tag that wirelessly completes transactions at gas pumps. According to TI, almost 150 million chips are in use in the United States.

The report states it"s easy to hack the chip in a car key. Thieves only need some relatively cheap equipment that can wirelessly interact with and then make a clone of the device. The clone would let them disable a car"s alarm system.

They couldn"t just drive away in a new Lexus, however. Getting into the car is still a problem. Apparently, after disabling the alarm, the thieves would have to resort to a good old-fashioned crowbar to crack a window. That"s a lot of trouble to go through just to steal the latest Kanye West CD.

When they examined the Speedpass system, the researchers were able to unravel the mathematical process used in verification. They then purchased a commercial microchip (costing less than US$200) and programmed it to find the secret key for a gasoline purchase tag owned by one of the researchers. By linking together 16 such chips, the group cracked the secret key in about 15 minutes.

That, too, is a lot of trouble, despite the price of gas. Thankfully, in the Speedpass system the owner"s credit card information isn"t carried on the chip and isn"t revealed by breaking the pass" security.

The researchers have some advice if you"re worried about the security of your Speedpass or your keys: Put aluminum foil around the device when it"s not in use. Apparently aluminum foil is just enough of a barrier to block unauthorized data transfers. And you thought those guys wearing foil hats were nuts? Nope, they"re just protecting their RFID chips. If only the rest of computer security were that easy.