A study by Johns Hopkins University has found security
vulnerabilities in the RFID chips used in high-security car
keys and swipe-by gasoline passes. In the study,
researchers were able to crack the RFID chip in less than
15 minutes, making it possible for them to fool tag readers
in cars and gas stations.
It is unclear what this means for security applications
that utilize RFID tags, especially access control. The
research, co-sponsored by RSA Security Inc., tested RFID
tags using Digital Signature Transponder (DST) technology,
which is distinct from the Electronic Product Code (EPC)
technology used in other RFID tags – especially those used
by retailers and pharmacies for inventory control.
“We’ve found that the security measures built into these
devices are inadequate,” Avi Rubin, technical director of
the Johns Hopkins Information Security Institute,
said “Millions of tags that are currently in use by
consumers have an encryption function that can be cracked
without requiring direct contact.”
Researchers say the big problem is that the mathematical
code used in DST is too short. They bought a commercial
microchip costing less than $200 and programmed it to find
the key for a gasoline-purchase tag. They linked 16 such
chips together and cracked the key in about 15 minutes.
The solution, the researchers say, is to wrap a metal
sheath around the chip.
